Volume 10 Arithmetic Geometry and Number Theory John ...107.5 Function Field 3431 107.5.1 Function Field and Polynomial Ring 3431 107.6 Points 3432 107.6.1 Creation of Points 3432

HANDBOOK OF MAGMA FUNCTIONS

Volume 10

Arithmetic Geometry and Number Theory

John Cannon Wieb Bosma

Claus Fieker Allan Steel

Editors

Version 2.14

Sydney

May 2, 2008

ii

MAGMAC O M P U T E R • A L G E B R A

HANDBOOK OF MAGMA FUNCTIONS

Editors:

John Cannon Wieb Bosma Claus Fieker Allan Steel

Handbook Contributors:

Geoff Bailey, Wieb Bosma, Gavin Brown, Nils Bruin,

John Cannon, Jon Carlson, Scott Contini, Bruce Cox,

Steve Donnelly, Tim Dokchitser, Willem de Graaf, Claus

Fieker, Damien Fisher, Volker Gebhardt, Sergei Haller,

Michael Harrison, Florian Hess, Derek Holt, David Ko-

hel, Axel Kohnert, Dimitri Leemans, Paulette Lieby, Gra-

ham Matthews, Scott Murray, Eamonn O’Brien, Ben Smith,

Bernd Souvignier, William Stein, Allan Steel, Damien Stehle,

Nicole Sutherland, Don Taylor, Bill Unger, Alexa van der

Waall, Paul van Wamelen, Helena Verrill, John Voight, Mark

Watkins, Greg White

Production Editors:

Wieb Bosma Claus Fieker Allan Steel Nicole Sutherland

HTML Production:

Claus Fieker Allan Steel

VOLUME 10: OVERVIEW

XVI ARITHMETIC GEOMETRY . . . . . . . . . . 3229102 RATIONAL CURVES AND CONICS 3231103 ELLIPTIC CURVES 3255104 ELLIPTIC CURVES OVER FINITE FIELDS 3357105 ELLIPTIC CURVES OVER FUNCTION FIELDS 3381106 MODELS OF GENUS ONE CURVES 3399107 HYPERELLIPTIC CURVES 3415108 L-FUNCTIONS 3491

vi VOLUME 10: CONTENTS

VOLUME 10: CONTENTS

XVI ARITHMETIC GEOMETRY 3229

102 RATIONAL CURVES AND CONICS . . . . . . . . . . . . 3231

102.1 Introduction 3233102.2 Rational Curves and Conics 3234102.2.1 Rational Curve and Conic Creation 3234102.2.2 Access Functions 3235102.2.3 Rational Curve and Conic Examples 3236102.3 Conics 3239102.3.1 Elementary Invariants 3239102.3.2 Alternative Defining Polynomials 3239102.3.3 Alternative Models 3240102.3.4 Other Functions on Conics 3240102.4 Local–Global Correspondence 3241102.4.1 Local Conditions for Conics 3241102.4.2 Norm Residue Symbol 3241102.5 Rational Points on Conics 3243102.5.1 Finding Points 3243102.5.2 Point Reduction 3245102.6 Isomorphisms 3247102.6.1 Isomorphisms with Standard Models 3247102.7 Automorphisms 3251102.7.1 Automorphisms of Rational Curves 3251102.7.2 Automorphisms of Conics 3252102.8 Bibliography 3254

103 ELLIPTIC CURVES . . . . . . . . . . . . . . . . . . . 3255

103.1 Introduction 3261103.2 Creation Functions 3262103.2.1 Creation of an Elliptic Curve 3262103.2.2 Creation Predicates 3266103.2.3 Changing the Base Ring 3266103.2.4 Alternative Models 3267103.2.5 Predicates on Curve Models 3268103.2.6 Twists of Elliptic Curves 3269103.3 Operations on Curves 3272103.3.1 Elementary Invariants 3272103.3.2 Associated Structures 3275103.3.3 Predicates on Elliptic Curves 3275103.4 Subgroup Schemes 3276103.4.1 Creation of Subgroup Schemes 3276103.4.2 Associated Structures 3277103.4.3 Predicates on Subgroup Schemes 3277103.4.4 Points of Subgroup Schemes 3277103.5 Operations on Point Sets 3278103.5.1 Creation of Point Sets 3279103.5.2 Associated Structures 3279103.5.3 Predicates on Point Sets 3280103.6 Operations on Points 3281

VOLUME 10: CONTENTS vii

103.6.1 Creation of Points 3281

103.6.2 Creation Predicates 3282

103.6.3 Access Operations 3282

103.6.4 Associated Structures 3282

103.6.5 Arithmetic 3283

103.6.6 Division Points 3283

103.6.7 Point Order 3286

103.6.8 Predicates on Points 3286

103.6.9 Weil Pairing 3288

103.7 Polynomials 3289

103.8 Curves over the Rationals 3290

103.8.1 Local Invariants 3290

103.8.2 Kodaira Symbols 3291

103.8.3 Complex Multiplication 3292

103.8.4 Isogenous Curves 3293

103.8.5 Mordell–Weil Group 3294

103.8.6 Heights and Height Pairing 3298

103.8.7 Two-Descent and Two-Coverings 3302

103.8.8 The Cassels-Tate Pairing 3305

103.8.9 Four-Descent 3306

103.8.10 Eight-Descent 3309

103.8.11 Three-Descent 3310

103.8.12 Heegner Points 3316

103.8.13 Analytic Information 3323

103.9 Integral and S-integral Points 3327

103.9.1 Integral Points 3328

103.9.2 S-integral Points 3329

103.10 Elliptic Curve Database 3331

103.11 Curves over Number Fields 3334


103.11.2 Complex Multiplication 3336

103.11.3 Torsion Information 3336

103.11.4 Heights 3336

103.11.5 Selmer Groups 3337

103.11.6 Mordell–Weil Group 3342

103.11.7 Elliptic Curve Chabauty 3343

103.11.8 Auxiliary functions for etale algebras 3345

103.12 Morphisms 3347

103.12.1 Creation Functions 3347

103.12.2 Structure Operations 3351

103.12.3 The Endomorphism Ring 3352

103.12.4 The Automorphism Group 3353

103.12.5 Predicates on Isogenies 3353

103.13 The formal group law 3354

103.14 Curves over p-adic Fields 3354


103.15 Bibliography 3355

viii VOLUME 10: CONTENTS

104 ELLIPTIC CURVES OVER FINITE FIELDS . . . . . . . . 3357

104.1 Supersingular Curves 3359

104.2 The Order of the Group of Points 3360104.2.1 Point Counting 3360104.2.2 Zeta Functions 3365104.2.3 Cryptographic Elliptic Curve Domains 3366

104.3 Enumeration of Points 3367

104.4 Abelian Group Structure 3368

104.5 Pairings on Elliptic Curves 3369104.5.1 Weil pairing 3369104.5.2 Tate pairing 3369104.5.3 Eta pairing 3370104.5.4 Ate pairing 3371

104.6 Weil Descent in Characteristic Two 3375

104.7 Discrete Logarithms 3377


105 ELLIPTIC CURVES OVER FUNCTION FIELDS . . . . . . 3381

105.1 An Overview of Relevant Theory 3383

105.2 Local computations 3385

105.3 Heights 3386

105.4 The Torsion Subgroup 3387

105.5 The Mordell-Weil Group 3388

105.6 Two-descent 3389

105.7 The L-function and counting points 3391

105.8 Action of Frobenius 3393

105.9 Extended Examples 3394


106 MODELS OF GENUS ONE CURVES . . . . . . . . . . . . 3399

106.1 Introduction 3401

106.2 Related functionality 3402

106.3 Creation of Genus One Models 3402

106.4 Predicates on Genus One Models 3405

106.5 Access Functions 3405

106.6 Minimisation and Reduction 3406

106.7 Genus One Models as Coverings 3408

106.8 Families of Elliptic Curves with Prescribed n-Torsion 3409

106.9 Transformations between Genus One Models 3409

106.10 Invariants for Genus One Models 3410

106.11 Covariants and Contravariants for Genus One Models 3411

106.12 Extended Example 3412


VOLUME 10: CONTENTS ix

107 HYPERELLIPTIC CURVES . . . . . . . . . . . . . . . . 3415

107.1 Introduction 3419107.2 Creation Functions 3419107.2.1 Creation of a Hyperelliptic Curve 3419107.2.2 Creation Predicates 3420107.2.3 Changing the Base Ring 3421107.2.4 Models 3422107.2.5 Predicates on Models 3424107.2.6 Twisting Hyperelliptic Curves 3425107.2.7 Type Change Predicates 3426107.3 Operations on Curves 3426107.3.1 Elementary Invariants 3426107.3.2 Igusa Invariants 3427107.3.3 Base Ring 3430107.4 Creation from Invariants 3430107.5 Function Field 3431107.5.1 Function Field and Polynomial Ring 3431107.6 Points 3432107.6.1 Creation of Points 3432107.6.2 Random Points 3433107.6.3 Predicates on Points 3433107.6.4 Access Operations 3434107.6.5 Arithmetic of Points 3434107.6.6 Enumeration and Counting Points 3434107.6.7 Frobenius 3436107.7 Isomorphisms and Transformations 3436107.7.1 Creation of Isomorphisms 3436107.7.2 Arithmetic with Isomorphisms 3437107.7.3 Invariants of Isomorphisms 3438107.7.4 Automorphism Group and Isomorphism Testing 3438107.8 Jacobians 3442107.8.1 Creation of a Jacobian 3442107.8.2 Access Operations 3442107.8.3 Base Ring 3442107.8.4 Changing the Base Ring 3443107.9 Points on the Jacobian 3443107.9.1 Creation of Points 3444107.9.2 Random Points 3447107.9.3 Booleans and Predicates for Points 3448107.9.4 Access Operations 3448107.9.5 Arithmetic of Points 3448107.9.6 Order of Points on the Jacobian 3449107.9.7 Frobenius 3450107.9.8 Weil Pairing 3450107.10 Rational Points and Group Structure over finite fields 3451107.10.1 Enumeration of Points 3451107.10.2 Counting Points on the Jacobian 3451107.10.3 Deformation Point Counting 3456107.10.4 Abelian Group Structure 3457107.11 Jacobians over Number Fields or Q 3458107.11.1 Searching For Points 3458107.11.2 Torsion 3458107.11.3 Heights and Regulator 3460107.11.4 The 2-Selmer Group 3464107.12 Chabauty’s Method 3469107.13 Kummer Surfaces 3474

x VOLUME 10: CONTENTS

107.13.1 Creation of a Kummer Surface 3474107.13.2 Structure Operations 3474107.13.3 Base Ring 3474107.13.4 Changing the Base Ring 3474107.14 Points on the Kummer Surface 3475107.14.1 Creation of Points 3475107.14.2 Access Operations 3475107.14.3 Predicates on Points 3475107.14.4 Arithmetic of Points 3476107.14.5 Rational Points on the Kummer Surface 3476107.14.6 Pullback to the Jacobian 3477107.15 Analytic Jacobians of Hyperelliptic Curves 3477107.15.1 Creation and Access Functions 3478107.15.2 Maps between Jacobians 3480107.15.3 From Period Matrix to Curve 3486107.15.4 Voronoi Cells 3488107.16 Bibliography 3489

108 L-FUNCTIONS . . . . . . . . . . . . . . . . . . . . . 3491

108.1 Overview 3493108.2 Built-in L-series 3494108.3 Computing L-values 3499108.4 Arithmetic with L-series 3501108.5 General L-series 3503108.5.1 Terminology 3503108.5.2 Constructing a General L-Series 3504108.5.3 Setting the Coefficients 3508108.5.4 Specifying the Coefficients Later 3508108.5.5 Generating the Coefficients from Local Factors 3510108.6 Accessing the Invariants 3510108.7 Precision 3512108.7.1 L-series with Unusual Coefficient Growth 3512108.7.2 Computing L(s) when Im(s) is Large (ImS Parameter) 3513108.7.3 Implementation of L-series Computations (Asymptotics Parameter) 3513108.8 Verbose Printing 3513108.9 Advanced Examples 3514108.9.1 Self-made L-series of an Elliptic Curve 3514108.9.2 Self-made Dedekind Zeta Function 3515108.9.3 L-series of a Genus 2 Hyperelliptic Curve 3515108.9.4 Experimental Mathematics for Small Conductor 3517108.9.5 Tensor Product of L-series Coming from l-adic Representations 3518108.9.6 Non-abelian Twist of an Elliptic Curve 3519108.10 Bibliography 3520

PART XVIARITHMETIC GEOMETRY

102 RATIONAL CURVES AND CONICS 3231

103 ELLIPTIC CURVES 3255

104 ELLIPTIC CURVES OVER FINITE FIELDS 3357

105 ELLIPTIC CURVES OVER FUNCTION FIELDS 3381

106 MODELS OF GENUS ONE CURVES 3399

107 HYPERELLIPTIC CURVES 3415

108 L-FUNCTIONS 3491

102 RATIONAL CURVES AND CONICS102.1 Introduction . . . . . . . 3233

102.2 Rational Curves and Conics 3234

102.2.1 Rational Curve and Conic Creation3234

Conic(coeffs) 3234Conic(M) 3234Conic(X,f) 3234IsConic(S) 3234RationalCurve(X,f) 3234IsRationalCurve(C) 3234

102.2.2 Access Functions . . . . . . . 3235

DefiningPolynomial(C) 3235DefiningIdeal(C) 3235BaseRing BaseField 3235Category Type 3235

102.2.3 Rational Curve and Conic Exam-ples . . . . . . . . . . . . . 3236

102.3 Conics . . . . . . . . . . 3239

102.3.1 Elementary Invariants . . . . . 3239

Discriminant(C) 3239

102.3.2 Alternative Defining Polynomials 3239

LegendrePolynomial(C) 3239ReducedLegendrePolynomial(C) 3239

102.3.3 Alternative Models . . . . . . 3240

LegendreModel(C) 3240ReducedLegendreModel(C) 3240

102.3.4 Other Functions on Conics . . . 3240

MinimalModel(C) 3240

102.4 Local–Global Correspondence 3241

102.4.1 Local Conditions for Conics . . . 3241

BadPrimes(C) 3241

102.4.2 Norm Residue Symbol . . . . . 3241

NormResidueSymbol(a,b,p) 3241

NormResidueSymbol(a,b,p) 3241HilbertSymbol(a, b, p : -) 3242HilbertSymbol(a, b, p) 3242

102.5 Rational Points on Conics . 3243

102.5.1 Finding Points . . . . . . . . 3243

HasRationalPoint(C) 3243RationalPoint(C) 3244Random(C) 3244Points(C) 3244RationalPoints(C) 3244LegendresMethod(a, b) 3245

102.5.2 Point Reduction . . . . . . . . 3245

IsReduced(p) 3245Reduction(p: -) 3245

102.6 Isomorphisms . . . . . . . 3247

102.6.1 Isomorphisms with Standard Mod-els . . . . . . . . . . . . . . 3247

Conic(C) 3248ParametrizationMatrix(C) 3248Parametrization(C) 3249Parametrization(C, P) 3249Parametrization(C, p) 3249Parametrization(C, p, P) 3249ParametrizeOrdinaryCurve(C) 3250ParametrizeOrdinaryCurve(C, p) 3250ParametrizeOrdinaryCurve(C, p, I) 3250ParametrizeRationalNormalCurve(C) 3250

102.7 Automorphisms . . . . . . 3251

102.7.1 Automorphisms of Rational Curves3251

Automorphism(C,S,T) 3251

102.7.2 Automorphisms of Conics . . . 3252

QuaternionAlgebra(C) 3252Automorphism(C,a) 3252

102.8 Bibliography . . . . . . . 3254

Chapter 102

RATIONAL CURVES AND CONICS

102.1 Introduction

This chapter describes the specialized categories of nonsingular plane curves of genus zero:the rational plane curves and conics. Rational curves and conics in Magma are nonsingularplane curves of degree 1 and 2, respectively. The central functionality for conics concernsthe existence of points over the rationals. If a point is known to exist, then a conic can beparameterized by a projective line or a rational curve. In addition several algorithms areimplemented to convert conics to standard Legendre, or diagonal, models, and for curvesover Q, to a reduced Legendre model or a minimal model. A rational curve in Magma isa linearly embedded image of the projective line, to which the full machinery of algebraicplane curves can be applied. The special category of conics is the called CrvCon and thatof rational curves is CrvRat.

The central algorithms of this chapter deal with this classification and reduction of genuszero curves to one of the standard models to which efficient algorithms can be applied.These special types serve to classify all curves up to birational isomorphism. Since thecanonical divisor KC of a genus zero curve is of degree −2, a basis for the Riemann-Roch space of the effective divisor −KC has dimension 3, and gives an anti-canonicalembedding in the projective plane. The homogeneous quadratic relations between thefunctions define a conic model for any genus zero curve. If the curve has a rational point,then a similar construction with the divisor of this point gives a birational isomorphismwith the projective line. For conics over the rationals, efficient algorithms of Simon [Sim05]allow one to first find a point, if one exists, and then to reduce to simpler models. Theexistence of a point is easily determined by local conditions, and this local data is carried bythe data of the ramified or bad primes of reduction, and if such a point exists, the existencecan be certified by a certificate. Simon’s algorithm in fact parametrises the curve (by theprojective line) which gives a birational isomorphism with the curve.

Not every curve of genus zero can be “trivialized” by reduction to a rational curve inthis way; the obstruction to having a rational point and therefore to being parameterizedby a projective line is measured on the one hand by the primes of bad reduction, but alsoby the automorphism group, both of which are closely associated to an isomorphism classof quaternion algebras. The final algorithms of this chapter make use of this connection tocompute the automorphism group of a curve, and to classify find isomorphisms betweenconics.

3234 ARITHMETIC GEOMETRY Part XVII

102.2 Rational Curves and Conics

The general tools for constructing and analyzing curves are described in Chapter 99. We donot repeat them here, but rather give some examples to demonstrate those basics that theuser will need in Section 102.2.3. In Section 102.2 we describe the main parametrizationfunction for rational curves and functions which enable type change from a curve of genuszero to a rational curve.

102.2.1 Rational Curve and Conic CreationRational curves and conics are the specialized types for nonsingular plane curves of genuszero, defined by polynomials of degree 1 and 2, respectively. The condition of nonsingu-larity is equivalent to that of absolute irreducibility for conics, and imposes no conditionon a linear equation in the plane.

Conic(coeffs)

Ambient Sch Default :

This creates a conic curve with the given sequence of coefficients (which should havelength 3 or 6). A sequence [a, b, c] designates the conic aX2 + bY 2 + cZ2, while asequence [a, b, c, d, e, f ] designates the conic aX2 + bY 2 + cZ2 +dXY +eY Z +fXZ.

Conic(M)

Ambient Sch Default :

This creates a conic curve associated to the given matrix M , which must be sym-metric. Explicitly, the equation of the conic is [X, Y, Z]M [X, Y, Z]tr.

Conic(X,f)

Construct the conic C defined by the polynomial f in the projective plane X. Theparameters and most specialised algorithms for conics apply only to curves whosebase ring is the integers or the rationals.

IsConic(S)

Returns true if and only if the scheme S is a nonsingular plane curve of degree 2,in which case it returns a curve (of type CrvCon) with the same defining polynomialas a second value.

RationalCurve(X,f)

The rational curve in the projective plane X determined by the linear polynomial f .

IsRationalCurve(C)

Returns true if and only if the scheme C is defined by a linear polynomial in someprojective plane P2, and if so, returns a curve with the same defining polynomial inP2 of type CrvRat as the second return value.

Ch. 102 RATIONAL CURVES AND CONICS 3235

Example H102E1

In the following example we create a degree 2 curve over the rational field, the create a new curveof type conic using IsConic.

> P2<x,y,z> := ProjectivePlane(Rationals());

> C0 := Curve(P2,x^2 + 3*x*y + 2*y^2 - z^2);

> C0;

Curve over Rational Field defined by

x^2 + 3*x*y + 2*x^2 - z^2

> bool, C1 := IsConic(C0);

Clearly this is a nonsingular degree two curve, so bool must be true, and we have created a newcurve C1 in the same ambient space P2, but of type conic.

> C1;

Conic over Rational Field defined by

x^2 + 3*x*y + 2*y^2 - z^2

> AmbientSpace(C0) eq AmbientSpace(C1);

true

> DefiningIdeal(C0) eq DefiningIdeal(C1);

true

> C0 eq C1;

false

> Type(C0);

CrvPln

> Type(C1);

CrvCon

The equality test fails here, because the two objects are of different Magma type.

102.2.2 Access FunctionsThe basic access functions for rational curves and conics are inherited from the generalmachinery for plane curves and hypersurface schemes.

DefiningPolynomial(C)

Returns the defining polynomial of the conic or rational curve C.

DefiningIdeal(C)

Returns the defining ideal of the conic or rational curve C.

BaseRing(C) BaseField(C)

Returns the base ring of the curve C.

Category(C) Type(C)

Returns the category of rational curves CrvRat or of conics CrvCon; these are specialsubtypes of planes curves (type CrvPln), which are themselves subtypes of generalcurves (type Crv).


102.2.3 Rational Curve and Conic ExamplesWe develop several examples which illustrate the creation of genus zero curves, reductionto standard models (conics and rational curves), and the facilities for finding points onthese models, and finaling the corresponding trivialization by parametrizing the curve bya projective line.

Example H102E2

We begin with a example of a singular curve of geometric genus zero.

> P2<x,y,z> := ProjectivePlane(FiniteField(71));

> C := Curve(P2,(x^3 + y^2*z)^2 - x^5*z);

> C;

Curve over GF(71) defined by

x^6 + 70*x^5*z + 69*x^3*y^2*z + y^4*z^2

> ArithmeticGenus(C);

10

> Genus(C);

0

> #RationalPoints(C);

73

> Z := SingularSubscheme(C);

> Degree(Z);

18

This curve is highly singular, but is geometrically of genus zero and since at most 18 of 73 pointsare singular, there exists a nonsingular point which makes it birational to a projective line.

A curious note is that there are 73, not 72 points, as one would expect for a nonsingular curve ofgenus zero. So we will investigate the source of the extra points.

> cmps := IrreducibleComponents(Z);

> [ Degree(X) : X in cmps ];

[ 11, 7 ]

> [ Degree(ReducedSubscheme(X)) : X in cmps ];

[ 1, 1 ]

> [ RationalPoints(X) : X in cmps ];

[

@ (0 : 0 : 1) @,

@ (0 : 1 : 0) @

]

Since the only singular rational points on C are (0 : 0 : 1) and (0 : 1 : 0) the “obvious” point(1 : 0 : 1) must be nonsingular, and we can use it to obtain a rational parametrization of thecurve, as explained in Section 102.6.

> P1<u,v> := ProjectiveSpace(FiniteField(71),1);

> p := C![1,0,1];

> m := Parametrization(C, Place(p), Curve(P1));

> S1 := @ m(q) : q in RationalPoints(P1) @;


> #S1;

72

> [ q : q in RationalPoints(C) | q notin S1 ];

[ (0 : 1 : 0) ]

We conclude that the extra point comes from a singularity, whose resolution does not have anydegree one places over it (see Section 99.9 of Chapter 99 for background on places of curves). Wecan verify this explicitly.

> [ Degree(p) : p in Places(C![0,1,0]) ];

[ 2 ]

Strictly speaking, in the previous example we have bypassed the datatypes of rationalcurves and conics, but the principal strategies of reducing a genus zero curve to one ofstandard form is demonstrated. In harder cases, over the rationals or a number field, wemight not be able to find any rational point at all. In the next example, we constructanother curve of genus zero over the rationals, without knowing a priori, that there existsany rational point.

Example H102E3

In this example we start by defining a projective curve and we check that it is rational, that is, ithas genus zero.

> P2<x,y,z> := ProjectiveSpace(Rationals(),2);

> C0 := Curve(P2,x^2 - 54321*x*y + y^2 - 97531*z^2);

> IsNonsingular(C0);

true

The curve C is defined as a degree 2 curve over the rationals. By making a preliminary typechange to the type of conics, CrvCon, we can test whether there exists a rational point over Q,and use efficient algorithms of Section 102.5.1 for finding rational points on curves in conic form.The existence of a point is equivalent to the existence of a parametrization of the curve by theprojective line. To make the parametrization both efficient and useful, it is crucial to have a pointof small size, which is obtained by the reduction algorithms of Section 102.5.2

> bool, C1 := IsConic(C0);

> bool;

true

> C1;


x^2 - 54321*x*y + y^2 - 97531*z^2

> HasRationalPoint(C1);

true (398469/162001 : -118246/162001 : 1)

> RationalPoint(C1);

(398469/162001 : -118246/162001 : 1)

The parametrization intrinsic requires a one-dimensional ambient space as one of the arguments.This space will be used as the domain of the parametrization map.

> P1<u,v> := ProjectiveSpace(Rationals(),1);


> phi := Parametrization(C1, Curve(P1));

> phi;

Mapping from: Prj: P1 to CrvCon: C1

with equations :

398469*u^2 + 944072*u*v + 559185*v^2

-118246*u^2 - 200850*u*v - 85289*v^2

162001*u^2 + 329499*u*v + 162991*v^2

and inverse

-4634102139*x + 30375658963*y + 31793350442*z

5456130497*x - 25641668406*y - 32136366969*z

and alternative inverse equations :

5456130497*x - 25641668406*y - 32136366969*z

-6424037904*x + 21645471041*y + 31600239062*z

The defining functions for the parametrization may look large, but they are defined simply bya linear change of variables from the 2-uple embedding of the projective line in the projectiveplane. We demonstrate that the algorithm has found a nontrivial point and parametrization, byattempting to use the naive point sieve of Section 102.5.1 to find any small points.

> time RationalPoints(C1 : Bound := 100000);

@ @

Time: 13.540

Now, despite the lack of points with small coefficients, the parametrization lets us realize anynumber of rational points on the curve.

> phi(P1![0,1]);

(559185/162991 : -85289/162991 : 1)

> phi(P1![1,1]);

(1901726/654491 : -404385/654491 : 1)

> phi(P1![1,0]);

(398469/162001 : -118246/162001 : 1)

Example H102E4

The following statements give simple examples of the use of some of the access functions. Theyuse the same conics as defined in Section 102.2.1, but we repeat their definition for clarity.

> P2<x,y,z> := ProjectiveSpace(RationalField(),2);

> f := 1134*x^2 - 28523*x*y - 541003*x*z - 953*y^2 - 3347*y*z - 245*z^2;

> C := Conic(P2, f);

> LegendrePolynomial(C);

1134*x^2 - 927480838158*y^2 - 186042605936505203884941*z^2

> ReducedLegendrePolynomial(C);

817884337*x^2 - y^2 - 353839285266278*z^2

> P<t> := PolynomialRing(RationalField());

> K := NumberField(t^2 - t + 723);

> C := BaseExtend(C,K);


102.3 Conics

In this section we discuss the creation and basic attributes of conics, particularly the stan-dard models for them. In subsequent sections we treat the local-global theory and existenceof points on conics, the efficient algorithms for finding rational points, parametrizationsand isomorphisms of genus zero curves with standard models and finally the automorphismgroup of conics.

102.3.1 Elementary Invariants

Discriminant(C)

Given a conic C, returns the discriminant of C. The discriminant of a curve withdefining equation

a11x2 + a12xy + a13xz + a22y

2 + a23yz + a33z2 = 0

is defined to be the value of the degree 3 form

4a11a22a33 − a11a223 − a2

12a33 + a12a13a23 − a213a22.

Over any ring in which 2 is invertible, this is just 1/2 times the determinant of thematrix

2a11 a12 a13

a12 2a22 a23

a13 a23 2a33

.

102.3.2 Alternative Defining PolynomialsThe functions described here provide access to basic information stored for a conic C.In addition to the defining polynomial, curves over the rationals compute and store adiagonalized Legendre model for the curve, whose defining polynomial can be accessed.

LegendrePolynomial(C)

The Legendre polynomial of the conic C, a diagonalized defining polynomial ax2 +by2 + cz2 for the curve which, once computed, is stored as an attribute. As a secondvalue, the transformation matrix is returned, defining the isomorphism from C tothe Legendre model.

ReducedLegendrePolynomial(C)

The reduced Legendre polynomial of the conic C over Q or Z, that is, a diagonalizedintegral polynomial whose coefficients are pairwise coprime and square-free. As asecond value, the transformation matrix to this model is returned, defining theisomorphism from C to the Legendre model.


102.3.3 Alternative Models

LegendreModel(C)

Returns the Legendre model of the conic C — an isomorphic curve of the form

ax2 + by2 + cz2 = 0,

together with an isomorphism to this model.

ReducedLegendreModel(C)

The reduced Legendre model of the conic C over Q, that is, a curve in the diagonalform ax2 + by2 + cz2 = 0 whose coefficients are pairwise coprime and square-free.As a second value, the isomorphism from C to this model is returned.

102.3.4 Other Functions on Conics

MinimalModel(C)

Return a conic, the matrix of whose defining polynomial has smaller discriminantthan that of the conic C. The algorithm used is the minimization part of Simon’salgorithm, ([Sim05]), used in HasRationalPoint. A map from the conic returnedto C is also returned.

Example H102E5

In the following example we are able to reduce the conic at 13.


> f := 123*x^2 + 974*x*y - 417*x*z + 654*y^2 + 113*y*z - 65*z^2;


> BadPrimes(C);

[ 491, 18869 ]

> [x[1] : x in Factorization(Integers()!Discriminant(C))];

[ 13, 491, 18869 ]

> MinimalModel(C);


-9*x^2 + 4*x*y + 6*x*z + 564*y^2 + 178*y*z + 1837*z^2

Mapping from: Conic over Rational Field defined by

-9*x^2 + 4*x*y + 6*x*z + 564*y^2 + 178*y*z + 1837*z^2 to CrvCon: C

with equations :

x + 6*y - 10*z

-x - 8*y + 4*z

-8*x - 50*y + 61*z

and inverse

-144/13*x + 67/13*y - 28/13*z

29/26*x - 19/26*y + 3/13*z

-7/13*x + 1/13*y - 1/13*z


102.4 Local–Global Correspondence

The Hasse–Minkowski principle for quadratic forms implies that a conic has a point overa number field if and only if it has a point over its completion at every finite and infiniteprime. The provides an effective set of conditions for determining whether a conic hasa point: only the finite number of primes dividing the discriminant of the curve need tobe checked, and by Hensel’s Lemma, it is only necessary to check this condition to finiteprecision. The theory holds over any global field (a number field or the function field of acurve over a finite field), but the algorithms implemented at present only treat the field Q.

102.4.1 Local Conditions for ConicsWe say that p is a ramified or bad prime for a conic C if there exists no p-integral modelfor C with nonsingular reduction. Every such prime is a divisor of the coefficients of theLengendre polynomial. However in general it is not possible to have a Legendre modelwhose coefficients are divisible only by the ramified primes. We use the term ramified orbad prime for a conic to refer to the local properties of C which are independent of themodels.

BadPrimes(C)

Given a conic C over the rationals, returns the sequence of the finite ramified primesof C, at which C has intrinsic locally singular reduction. This uses quarternionalgebras.N.B. Although the infinite prime is not included, the data of whether or not C/Qis ramified at infinity is carried by the length of this sequence. The number of badprimes, including infinity, must be even, so the parity of the sequence length specifiesthe ramification information at infinity.

102.4.2 Norm Residue SymbolHilbert’s norm residue symbol logically pertains to the theory of quadratic forms andlattices, and to that of quadratic fields and their norm equations. We express it here forits relevance to determining conditions for existence of local points on conics over Q. Thenorm residue symbol gives a precise condition for a quadratic form to represent zero overQp, or more generally over any local field, which is equivalent to the condition that a conichas a point.

An explicit treatment of the properties and theory of the norm residue symbol can befound in Cassels [Cas78]; the Hilbert symbol is treated by Lam [Lam73].

NormResidueSymbol(a,b,p)

NormResidueSymbol(a,b,p)

Given two rational numbers or integers a and b, and a prime p, returns 1 if thequadratic form ax2 + by2 − z2 represents zero over Qp, and returns −1 otherwise.


HilbertSymbol(a, b, p : parameters)

HilbertSymbol(a, b, p)

Al MonStgElt Default : “NormResidueSymbol”

Computes the Hilbert symbol (a, b)p, where a, b are elements of a number field,and p is either a prime number (if a, b ∈ Q) or a prime ideal. For a, b ∈ Q,by default Magma uses table-lookup to compute the Hilbert symbol (or theNormResidueSymbol); one may insist on using the full algorithm by setting theoptional argument Al to Evaluate.

Example H102E6

In the following example we show how the norm residue symbols can be used to determine thebad primes of a conic.


> a := 234; b := -33709; c := 127;

> C := Conic(P2,a*x^2 + b*y^2 + c*z^2);

> HasRationalPoint(C);

false

> fac := Factorization(Integers()!Discriminant(C));

> fac;

[ <2, 3>, <3, 2>, <13, 2>, <127, 1>, <2593, 1> ]

So we only need to test the primes 2, 3, 13, 127 and 2593. By scaling the defining polynomial ofthe curve ax2 + by2 + cz2 = 0 by −1/c, we obtain the quadratic form −a/cx2 − b/cy2 − z2, whichmeans we want to check the Hilbert symbols for the coefficient pair (−a/c,−b/c).

> [ NormResidueSymbol(-a/c,-b/c,p[1]) : p in fac ];

[ -1, 1, 1, -1, 1 ];

The norm residue symbol indicates that only 2 and 127 have no local p-adic solutions, whichconfirms the bad primes as reported by Magma.

> BadPrimes(C);

[ 2, 127 ]


102.5 Rational Points on Conics

This section contains functions for deciding solubility, and finding points on conics overthe following base fields: the rationals, finite fields, number fields and rational functionfields in odd characteristic.

A point on a conic C is given as a point in the pointset C(K) where K is the basering of the conic, unless that base ring is the integers Z, in which case the returned pointbelongs to the pointset C(Q).

Over the rationals (or integers), the algorithm used to find rational points is due toD. Simon[Sim05]. Simon’s algorithm works with the symmetric matrix of the definingpolynomial of the conic. It computes transformations reducing the determinant of thematrix by each of the primes which divide the discriminant of the conic, until it hasabsolute value 1. After this it does an indefinite LLL which reduces it to a unimodularintegral diagonal matrix, which is equivalent to the conic x2 + y2 − z2 = 0, and then thePythagorean parametrization of this can be pulled back to the original conic.

The existence of a point on conic C/Q is determined entirely by local solubility condi-tions, which are encapsulated in a solubility certificate.The algorithm of Simon determineslocal solubility as it works prime-by-prime, in its calculation of square roots modulo primes.In theory the existence of a point can be determined using Legendre symbols instead ofcomputing these square roots. This is not implemented because the running time is dom-inated by the time needed to factorise the discriminant.

Over finite fields, the algorithm used for finding a point (x : y : 1) on a conic is to solvefor y at random values of x.

Over number fields, the algorithm for finding points is an adaptation of Legendre’smethod has been implemented, which finds points on diagonal conics x2 − ay2 − bz2 = 0.This may be called directly, with LegendresMethod(a,b).

Over rational function fields, the algorithm for solving conics is due to Cremona andvan Hoeij (see [CR06]). The implementation was contributed by John Cremona and DavidRoberts.

102.5.1 Finding PointsThe main function is HasRationalPoint, which also returns a point when one exists. This(and also RationalPoint) works over various kinds of fields; the other functions work onlyover the rationals (or integers) and finite fields.

When a point is returned, it is also cached for later use.

HasRationalPoint(C)

The conic C should be defined over the integers, rationals, a finite field, a numberfield, or a rational function field over a finite field of odd characteristic. The functionreturns true if and only if there exists a point on the conic C, and if so, also returnsone such point.


RationalPoint(C)

The conic C should be defined over the integers, rationals, a finite field, a numberfield, or a rational function field over a finite field of odd characteristic. If thereexists a rational point on C over its base ring, then a representative point is returned,otherwise an error results.

Random(C)

Bound RngIntElt Default : 109

Reduce BoolElt Default : false

Returns a randomly selected rational point of the conic C. Such a solution isobtained by choosing random integers up to the bound specified by the parameterBound, followed by evaluation at a parametrization of C, then by point reduction,if so specified by Reduce.

Points(C)

RationalPoints(C)


Given a conic over the rationals or a finite field, an indexed set of the rational pointsof the conic is returned. If the curve is over the rationals, then a positive value forthe parameter Bound must be given; this function then returns those points whoseintegral coordinates, on the reduced Legendre model, are bounded by the value ofBound.

Example H102E7

We define three conics in Legendre form, having the same prime divisors in their discriminants,which differ only by a sign change (twisting by

√−1) of one of the coefficients.


> C1 := Conic(P2,23*x^2+19*y^2-71*z^2);

> RationalPoints(C1 : Bound := 32);

@ @

> C2 := Conic(P2,23*x^2-19*y^2+71*z^2);


@ @

> C3 := Conic(P2,23*x^2-17*y^2-71*z^2);


@ (-31 : 36 : 1), (-31 : -36 : 1), (31 : 36 : 1), (31 : -36 : 1),

(-8/3 : 7/3 : 1), (-8/3 : -7/3 : 1), (8/3 : 7/3 : 1), (8/3 : -7/3 : 1),

(-28/15 : 11/15 : 1), (-28/15 : -11/15 : 1), (28/15 : 11/15 : 1),

(28/15 : -11/15 : 1) @

This naive search yields no points on the first two curves and numerous points on the third one.A guess that there are no points on either of the first two curves is proved by a call to BadPrimes,


which finds that 19 and 23 are ramified primes for the first curve, and 23 and 71 are ramifiedprimes for the second.

> BadPrimes(C1);

[ 19, 23 ]

> BadPrimes(C2);

[ 23, 71 ]

> BadPrimes(C3);

[]

The fact there are no ramified primes for the third curve is equivalent to a true return value fromthe function HasRationalPoint. As we will see in Section 102.6, and alternative way, which isguaranteed to find points on the third curve, would be to construct a rational parametrization.

LegendresMethod(a, b)

Given two elements a and b in a number field K, this function computes a K-rationalpoint on the diagonal conic x2 − ay2 = bz2, returned as a sequence [x0, y0, z0]. Thesolutions found are often very much smaller than can be found using NormEquation(which is the standard approach to solving conics over number fields).

The algorithm is an adaptation of Legendre’s method for solving diagonal conicsover the rationals. Lattice reduction is used to help with the reduction steps. Inmost cases, after several reduction steps, further reduction becomes difficult; at thatpoint, NormEquation is called to find a point on the reduced conic.

102.5.2 Point ReductionIf a conic C/Q, in Legendre form ax2 + by2 + cz2 = 0, has a point, then Holzer’s Theoremtells us that there exists a point (x : y : z) satisfying

|x| ≤√|bc|, |y| ≤

√|ac|, |z| ≤

√|ab|,

with x, y, and z in Z, or equivalently max(|ax2|, |by2|, |cz2|) ≤ |abc|. Such a point is saidto be Holzer reduced. The current Magma implementation uses a variant of Mordell’sreduction due to Cremona [CR03].

IsReduced(p)

Returns true if and only if the projective point p on a conic in reduced Legendreform satisfies Holzer’s bounds. If the curve is not a reduced Legendre model, thenthe test is done by passing to this model for the test.

Reduction(p: parameters)

Reduces the point p so that it satisfies Holzer’s bounds.


Example H102E8

We provide a tiny example to illustrate reduction and reduction testing on conics.


> C1 := Conic(P2,x^2 + 3*x*y + 2*y^2 - 2*z^2);

> p := C1![0,1,1];

> IsReduced(p);

false

The fact that this point is not reduced is due to the size of the coefficients on the reduced Legendremodel.

> C0, m := ReducedLegendreModel(C1);

> C0;


X^2 - Y^2 - 2*Z^2

> m(p);

(3/2 : 1/2 : 1)

> IsReduced(m(p));

false

> Reduction(m(p));

(-1 : 1 : 0)

> Reduction(m(p))@@m;

(-2 : 1 : 0)

> IsReduced($1);

true

Example H102E9

In this example we illustrate the intrinsics which apply to finding points on conics.


> f := 9220*x^2 + 97821*x*y + 498122*y^2 + 8007887*y*z - 3773857*z^2;


We will now see that C has a reduced solution; indeed, we find two different reduced solutions.For comparison we also find a non-reduced solution.

> HasRationalPoint(C);

true (157010/741 : -19213/741 : 1)

> p := RationalPoint(C);

> p;

(157010/741 : -19213/741 : 1)

> q := Random(C : Reduce := true);

> q;

(-221060094911776/6522127367379 : -49731359955013/6522127367379 : 1)

> q := Random(C : Bound := 10^5);

> q;

(4457174194952129/84200926607090 : -1038901067062816/42100463303545 : 1)

> Reduction($1);


(-221060094911776/6522127367379 : -49731359955013/6522127367379 : 1)

To make a parametrization of C one can use the intrinsic Parametrization to create a map ofschemes from a line to C. Note that if a domain for the parametrization map is not includedamong the arguments, one will be created in the background. It will not have names for itscoordinate functions assigned which is why we do that before viewing the map.

> phi := Parametrization(C);

> P1<u,v> := Domain(phi);

> q0 := P1![0,1]; q1 := P1![1,1]; q2 := P1![1,0];

> phi(q0);

(7946776/559407 : -21332771/1118814 : 1)

> phi(q1);

(26443817/1154900 : -5909829/288725 : 1)

> phi(q2);

(157010/741 : -19213/741 : 1)

> C1, psi := ReducedLegendreModel(C);

> psi(phi(q0));

(-1793715893111/4475256 : -22556441171843029/4475256 : 1)

> p0 := Reduction($1);

> p0;

(1015829527/2964 : -59688728328467/2964 : 1)

> IsReduced(p0);

true

> p0@@psi;

(157010/741 : -19213/741 : 1)

102.6 Isomorphisms

102.6.1 Isomorphisms with Standard ModelsIn this section we discuss isomorphisms between heterogeneous types – isomorphisms be-tween combinations of curves of type Crv, CrvCon, and CrvRat, and their parametrizationsby a projective line.

The first function which we treat here is Conic, and is as much a constructor as anisomorphism. It takes an arbitrary genus zero curve C, and using the anti-canonical divisor−KC of degree 2, constructs the Riemann-Roch space. For a genus zero curve, this is adimension 3 space of degree 2 functions, which gives a projective embedding of C in P2 asa conic. This provides the starting point to make any genus zero curve amenable to thepowerful machinery for point finding and isomorphism classification of conics.

An isomorphism — provided that one exists — of the projective line with a conic canbe described as follows. The 2-uple embedding φ : P1 → P2 is defined by (u : v) 7→ (u2 :


uv : v2) gives an isomorphism of P1 with the conic C0 with defining equation y2 = xz.The inverse isomorphism C0 → P1 is defined by the maps

(x : y : z) 7→ (x : y) on x 6= 0,(x : y : z) 7→ (y : z) on z 6= 0,

respectively. Since these open sets cover the conic C0, this defines an isomorphism, notjust a birational map. In order to describe an isomorphism of a conic C0 with P1, it isthen necessary and sufficient to give a change of variables which maps C0 = φ(P1) ontothe conic C1. This matrix is called the parametrization matrix and is stored together witha conic C1 once a rational point is found.

Conic(C)

Given a curve of genus zero, returns a conic determined by the anti-canonical em-bedding of C.

Example H102E10

We demonstrate the function Conic on the curve of Example H102E2 to find a conic model, eventhough we know that it admits a rational parametrization.

> P2<x,y,z> := ProjectivePlane(FiniteField(71));

> C0 := Curve(P2,(x^3 + y^2*z)^2 - x^5*z);

> C1, m := Conic(C0);

> C1;

Conic over GF(71) defined by

x^2 + 70*x*z + y^2

> m : Minimal;

(x : y : z) -> (x^3*y*z : 70*x^5 + x^4*z + 70*x^2*y^2*z : x^3*y*z + y^3*z^2)

ParametrizationMatrix(C)

This function is an optimized routine for parametrizing a conic C defined over Z orQ. It returns a 3×3 matrix M , which defines a parametrization of C as a projectivechange of variables from the 2-uple embedding of a projective line in the projectiveplane, i.e. for a point (x0 : y0 : z0) on C, the point

(x1 : y1 : z1) = (x0 : y0 : z0)M

satisfies the equation y21 = x1z1. Note that as usual in Magma the action of M is

on the right, and consistently, the action of scheme maps is also on the right.


Example H102E11

In this example we demonstrate that the parametrization matrix determines the precise changeof variables to transform the conic equation into the equation y2 = xz. We begin with a singularplane curve C0 of genus zero and construct a nonsingular conic model in the plane.


> C0 := Curve(P2,(x^3 + y^2*z)^2 - x^5*z);

> C1, m := Conic(C0);

> C1;


x^2 - x*z + y^2

The curve C1 has obvious points, such as (1 : 0 : 1), which Magma internally verifies, withouthaving to make an explicit user call to HasRationalPoint.

> ParametrizationMatrix(C1);

[1 0 1]

[0 1 0]

[0 0 1]

> Evaluate(DefiningPolynomial(C1),[x,y,x+z]);

-x*z + y^2

We note that as is standard in Magma the action of matrices, as with maps of schemes, is a rightaction on coordinates (x : y : z).

Parametrization(C)

Parametrization(C, P)

Parametrization(C, p)

Parametrization(C, p, P)

Given a conic curve C over a general field, these functions return a parametrizationas an isomorphism of schemes P → C. Here P is a copy of a projective line; it may bespecified as one of the arguments, otherwise a new projective line is created. Note that itis now required that P is given (or created) as a curve rather than an ambient. This allowsthe immediate use of pullback/push-forward functionality for the parametrization map.

When a rational point or place is not specified as one of the arguments, the base fieldof C must be one of the kinds allowed in HasRationalPoint. If the conic has no rationalpoints, an error results.


ParametrizeOrdinaryCurve(C)

ParametrizeOrdinaryCurve(C, p)

ParametrizeOrdinaryCurve(C, p, I)

ParametrizeRationalNormalCurve(C)

These functions are as above (see Parametrization), but use different algorithms.When C is a plane curve with only ordinary singularities (see subsection 99.3.6),

a slightly different procedure is followed that relies less on the general function fieldmachinery and tends to be faster and can produce nicer parametrizations. Thevariants ParametrizeOrdinaryCurve allow direct calls to these more specialisedprocedures. The I argument is the adjoint ideal of C (loc. cit.), which may bepassed in if already computed.

The final function listed is slightly different. It applies only to rational normalcurves, ie non-singular rational curves of degree d in ordinary d-dimensional projec-tive space for d ≥ 1. For the sake of speed, the irreducibility of C is not checked.The function uses adjoint maps to find either a line or conic parametrization of C:if d is odd, an isomorphism from the projective line to C is returned, and if d iseven an isomorphism from a plane conic is returned. The method uses no functionfield machinery and can be much faster than the general function.

Example H102E12

In this example we show how to parametrize a projective rational curve with a map from theone-dimensional projective space. First we construct a singular plane curve and verify that it hasgeometric genus zero.

> k := FiniteField(101);

> P2<x,y,z> := ProjectiveSpace(k,2);

> f := x^7 + 3*x^3*y^2*z^2 + 5*y^4*z^3;

> C := Curve(P2,f);

> Genus(C);

0

In order to parametrize the curve, we need to find a nonsingular point on the curve C, or at leasta point of C over which there exists a unique degree one place — geometrically such a point is oneat which C has a cusp. In order to find such a point we can call the intrinsic RationalPoints(C)

which, over a finite field, returns an indexed set all points rational points of C over its base field.Having done so in the background, we demonstrate that the particular point (2 : 33 : 1) is sucha nonsingular rational point.

> p := C![2,33,1];

> p;

(2 : 33 : 1)

> IsNonsingular(C,p);

true

The parametrization function takes a projective line as the third argument, which will be used asthe domain of the parametrization map.

> P1<u,v> := ProjectiveSpace(k,1);


> phi := Parametrization(C, Place(p), Curve(P1));

> phi;

Mapping from: Prj: P1 to Prj: P2

with equations :

2*u^7 + 5*u^6*v + 81*u^5*v^2 + 80*u^4*v^3 + 13*u^3*v^4

33*u^7 + 88*u^6*v + 90*u^5*v^2 + 73*u^4*v^3 + 25*u^3*v^4 +

83*u^2*v^5 + 72*u*v^6 + 24*v^7

u^7

Finally we confirm that the map really does parametrize the curve C. Note that the map isnormalized so that the point at infinity on the projective line P1 maps to the prescribed point p.

> Image(phi);

Scheme over GF(101) defined by

x^7 + 3*x^3*y^2*z^2 + 5*y^4*z^3

> Image(phi) eq C;

false

> DefiningIdeal(Image(phi)) eq DefiningIdeal(C);

true

> phi(P1![1,0]);

(2 : 33 : 1)

102.7 Automorphisms

102.7.1 Automorphisms of Rational CurvesAutomorphisms of the projective line P1 are well-known to be 3-transitive — for anythree distinct points p0, p1, and p∞, there exists an automorphism taking 0 = (0 : 1),1 = (1 : 1), and ∞ = (1 : 0) to p0, p1, and p∞. Conversely the images of 0, 1, and ∞uniquely characterize an automorphism. We use this characterization of isomorphisms todefine automorphisms of rational curves as bijections of three element sequences of pointsover the base ring.

Automorphism(C,S,T)

Given a rational curve C and two indexed sets S = p0, p1, p∞ and T = q0, q1, q∞,each of distinct points over the base ring of C, returns the unique automorphism ofC taking p0, p1, p∞ to q0, q1, q∞.


102.7.2 Automorphisms of ConicsThe automorphism group of a conic, and indeed the conics themselves, have a specialrelationship with quaternion algebras (see Lam [Lam73] or Vigneras [Vig80]). For the sakeof exposition we focus on conics C/K defined by a Legendre equation

ax2 + by2 + cz2 = 0,

where abc 6= 0. We define a quaternion algebra A over K with anticommuting generatorsi, j, and k = c−1ij satisfying relations

i2 = −bc, j2 = −ac, k2 = −ab,

and setting I = ai, J = bj, and K = ck. Then we may identify, for any extension L/Kthe ambient projective pointset P2(L) with the projectivization of the trace zero part:

A0L = α ∈ AL | Tr(α) = 0 = LI + LJ + LK,

of the quaternion algebra AL = A⊗K L via (x : y : z) 7→ xI + yJ + zK. Under this map,the pointsets C(L) are identified with the norm zero elements

N(xI + yJ + zK) = abc(ax2 + by2 + cz2) = 0

in P2(L). This allows us to identify the automorphism group AutK(C) with the quotientunit group A∗/K∗ acting on each A0

L by conjugation.In the Magma implementation of this correspondence, the quaternion algebra A is

computed and stored as an attribute of the curve C. Automorphisms of C can be createdfrom any invertible element of the quaternion algebra. We note that the isomorphismof two conics is equivalent to the isomorphism of their quaternion algebras, and that arational parametrization of a conic is equivalent to an isomorphism A ∼= M2(K).

We note that while the advanced features of finding rational points and hence findingparametrizations, and for determining isomorphism, only exist over Q, it is possible torepresent the automorphism group and find automorphisms of the curve independently ofthese other problems. The current implementation works only in characteristic differentfrom 2, for which a Legendre model does not exist.

QuaternionAlgebra(C)

Returns the quaternion algebra in which automorphisms of the conic C can berepresented.

Automorphism(C,a)

Given a conic C and a unit a of the quaternion algebra associated to C, returns theautomorphism of C to corresponding to it.


Example H102E13

In this example we demonstrate how to use quaternion algebra of a conic to construct nontrivialautomorphisms of the curve when there exists no rational points over the base ring. (We use theprinting level Minimal to produce human readable output for scheme maps.)


> C0 := Conic(P2,2*x^2 + x*y + 5*y^2 - 37*z^2);


false

> BadPrimes(C0);

[ 3, 37 ]

> A := QuaternionAlgebra(C0);

> RamifiedPrimes(A);

[ 3, 37 ]

> B := Basis(MaximalOrder(A));

> B;

[ 1, 1/52*i + 1/4*j + 2/481*k, j, 1/2 + 1/148*k ]

> m1 := Automorphism(C0,A!B[2]);

> m1 : Minimal;

(x : y : z) -> (-5/8*x + 259/48*y - 37/3*z : 37/12*x + 69/8*y - 74/3*z :

x + 7/2*y - 61/6*z)


> m2 : Minimal;

(x : y : z) -> (x + 1/2*y : -y : z)


> m3 : Minimal;

(x : y : z) -> (-x - 1/2*y : 1/5*x - 9/10*y : z)

> [ Trace(B[2]), Trace(B[3]), Trace(B[4]) ];

[ 0, 0, 1 ]

> m1 * m1 : Minimal;

(x : y : z) -> (x : y : z)


(x : y : z) -> (x : y : z)


(x : y : z) -> (9/10*x + 19/20*y : -19/50*x + 71/100*y : z)

The last example points out that pure quaternions τ in A0 give rise to involutions – a reflectionof the projective plane about the point defined by τ in P2(K).

One of the strengths of the scheme model in Magma is the ability to work with points of a curveover any extension. Provided we have a rational point over some extension field L/K, we are ableto apply automorphisms of the curve to generate an unbounded number of new points over thatextension by means of the action of the automorphism group. We demonstrate this by looking atquadratic twists of the curve to find a point over Q, which identifies a point on the original curveover a quadratic extension.

> C1 := Conic(P2,2*x^2 + x*y + 5*y^2 - z^2);


false


> C2 := Conic(P2,2*x^2 + x*y + 5*y^2 - 2*z^2);


true

> RationalPoint(C2);

(-1 : 0 : 1)

This gives rise to the obvious points (±1 : 0 :√

74/37) on the original curve.

> P<t> := PolynomialRing(RationalField());

> L<a> := NumberField(t^2-74);

> p := C0(L)![1,0,a/37];

> m1(p);

(1/1880*(207*a + 3034) : 1/940*(-37*a + 2146) : 1)

> m2(p);

(1/2*a : 0 : 1)

> m3(p);

(-1/2*a : 1/10*a : 1)

We could alternatively have formed the base extension of the curve to the new field L and used theknown point over L to find a parametrization of the curve by the projective line. This approachdemonstrates that it is possible to work with points and curve automorphisms without passing toa new curve.

102.8 Bibliography[Cas78] J. W. S. Cassels. Rational Quadratic Forms. Academic Press, London–New

York–San Francisco, 1978.[CR03] J. E. Cremona and D. Rusin. Efficient solution of rational conics. Mathematics

of Computation, 72(243):1417–1441, 2003.[CR06] J. E. Cremona and D. Rusin. Solving conics over function fields. Journal de

Theorie des Nombres de Bordeaux, 18:595–606, 2006.[Lam73] T. Y. Lam. The Algebraic Theory of Quadratic Forms. W. A. Benjamin, Inc.,

Reading, MA, 1973.[Sim05] Denis Simon. Solving quadratic equations using reduced unimodular quadratic

forms. Math. Comp., 74(251):1531–1543 (electronic), 2005.[Vig80] M.-F. Vigneras. Arithmetique des Algebres de Quaternions, volume 800 of

Lecture Notes in Mathematics. Springer-Verlag, Berlin, 1980.

103 ELLIPTIC CURVES103.1 Introduction . . . . . . . 3261

103.2 Creation Functions . . . . 3262

103.2.1 Creation of an Elliptic Curve . . 3262

EllipticCurve([a, b]) 3262EllipticCurve([a1, a2, a3, a4, a6]) 3262EllipticCurve(f) 3262EllipticCurve(f, h) 3262EllipticCurveFromjInvariant(j) 3262EllipticCurveWithjInvariant(j) 3262EllipticCurve(C) 3263EllipticCurve(C, P) 3264EllipticCurve(C, pl) 3264SupersingularEllipticCurve(K) 3264

103.2.2 Creation Predicates . . . . . . 3266

IsEllipticCurve([a, b]) 3266IsEllipticCurve([a1, a2, a3, a4, a6]) 3266IsEllipticCurve(C) 3266

103.2.3 Changing the Base Ring . . . . 3266

BaseChange(E, K) 3266BaseExtend(E, K) 3266ChangeRing(E, K) 3266BaseChange(E, h) 3267BaseExtend(E, h) 3267BaseChange(E, n) 3267BaseExtend(E, n) 3267

103.2.4 Alternative Models . . . . . . 3267

WeierstrassModel(E) 3267IntegralModel(E) 3267SimplifiedModel(E) 3268MinimalModel(E) 3268MinimalModel(E, p) 3268MinimalModel(E, P) 3268MinimalModel(E, Pl) 3268

103.2.5 Predicates on Curve Models . . 3268

IsWeierstrassModel(E) 3268IsIntegralModel(E) 3268IsSimplifiedModel(E) 3268IsMinimalModel(E) 3269IsIntegralModel(E, P) 3269

103.2.6 Twists of Elliptic Curves . . . . 3269

QuadraticTwist(E, d) 3269QuadraticTwist(E) 3270QuadraticTwists(E) 3270Twists(E) 3270IsTwist(E, F) 3270IsQuadraticTwist(E, F) 3270MinimalQuadraticTwist(E) 3272

103.3 Operations on Curves . . . 3272


aInvariants(E) 3272Coefficients(E) 3272ElementToSequence(E) 3272Eltseq(E) 3272bInvariants(E) 3273cInvariants(E) 3273Discriminant(E) 3273jInvariant(E) 3273HyperellipticPolynomials(E) 3273

103.3.2 Associated Structures . . . . . 3275

Category(E) 3275Type(E) 3275BaseRing(E) 3275CoefficientRing(E) 3275

103.3.3 Predicates on Elliptic Curves . . 3275

eq 3275ne 3275IsIsomorphic(E, F) 3275IsIsogenous(E, F) 3275

103.4 Subgroup Schemes . . . . . 3276

103.4.1 Creation of Subgroup Schemes . 3276

SubgroupScheme(G, f) 3276TorsionSubgroupScheme(G, n) 3276


Category(G) 3277Type(G) 3277Curve(G) 3277Generic(G) 3277BaseRing(G) 3277CoefficientRing(G) 3277DefiningSubschemePolynomial(G) 3277

103.4.3 Predicates on Subgroup Schemes 3277

eq 3277ne 3277

103.4.4 Points of Subgroup Schemes . . 3277

# 3277Order(G) 3277FactoredOrder(G) 3277Points(G) 3277RationalPoints(G) 3277

103.5 Operations on Point Sets . . 3278

103.5.1 Creation of Point Sets . . . . . 3279

E(L) 3279PointSet(E, L) 3279E(m) 3279PointSet(E, m) 3279


Category(H) 3279Type(H) 3279


Scheme(H) 3279Curve(H) 3279Ring(H) 3279

103.5.3 Predicates on Point Sets . . . . 3280

eq 3280ne 3280

103.6 Operations on Points . . . 3281

103.6.1 Creation of Points . . . . . . . 3281

! elt 3281! elt 3281! Id Identity 3281! Id Identity 3281Points(H, x) 3281Points(E, x) 3281Points RationalPoints 3281Points RationalPoints 3281PointsAtInfinity(H) 3282PointsAtInfinity(E) 3282


IsPoint(H, S) 3282IsPoint(E, S) 3282IsPoint(H, x) 3282IsPoint(E, x) 3282

103.6.3 Access Operations . . . . . . . 3282

P[i] 3282ElementToSequence(P) 3282Eltseq(P) 3282


Category(P) 3282Type(P) 3282Parent(P) 3282Scheme(P) 3282Curve(P) 3282

103.6.5 Arithmetic . . . . . . . . . . 3283

- 3283+ 3283+:= 3283- 3283-:= 3283* 3283*:= 3283

103.6.6 Division Points . . . . . . . . 3283

/ 3283/:= 3283DivisionPoints(P, n) 3283IsDivisibleBy(P, n) 3283

103.6.7 Point Order . . . . . . . . . 3286

Order(P) 3286FactoredOrder(P) 3286

103.6.8 Predicates on Points . . . . . . 3286

IsId(P) 3286IsIdentity(P) 3286

IsZero(P) 3286eq 3287ne 3287in 3287in 3287IsOrder(P, m) 3287IsIntegral(P) 3287IsSIntegral(P, S) 3287

103.6.9 Weil Pairing . . . . . . . . . 3288

WeilPairing(P, Q, n) 3288IsLinearlyIndependent(S, n) 3288IsLinearlyIndependent(P, Q, n) 3288

103.7 Polynomials . . . . . . . 3289

DefiningPolynomial(E) 3289DivisionPolynomial(E, n) 3289DivisionPolynomial(E, n, g) 3289TwoTorsionPolynomial(E) 3289

103.8 Curves over the Rationals . 3290

103.8.1 Local Invariants . . . . . . . . 3290

Conductor(E) 3290BadPrimes(E) 3290TamagawaNumber(E, p) 3290TamagawaNumbers(E) 3290LocalInformation(E, p) 3290LocalInformation(E) 3291ReductionType(E, p) 3291FrobeniusTraceDirect(E, p) 3291TracesOfFrobenius(E, B) 3291

103.8.2 Kodaira Symbols . . . . . . . 3291

KodairaSymbol(E, p) 3291KodairaSymbols(E) 3291KodairaSymbol(s) 3291eq 3292ne 3292

103.8.3 Complex Multiplication . . . . 3292

HasComplexMultiplication(E) 3292

103.8.4 Isogenous Curves . . . . . . . 3293

IsogenousCurves(E) 3293FaltingsHeight(E) 3293

103.8.5 Mordell–Weil Group . . . . . . 3294

MordellWeilShaInformation(E: -) 3294DescentInformation(E: -) 3294Rank(E: -) 3295MordellWeilRank(E: -) 3295RankBounds(E: -) 3295MordellWeilRankBounds(E: -) 3295AbelianGroup(E: -) 3295MordellWeilGroup(E: -) 3295Saturation(points, n) 3296TorsionSubgroup(E) 3296Generators(E) 3296NumberOfGenerators(E) 3296

Ch. 103 ELLIPTIC CURVES 3257

Ngens(E) 3296

103.8.6 Heights and Height Pairing . . . 3298

NaiveHeight(P) 3298WeilHeight(P) 3298Height(P: -) 3298CanonicalHeight(P: -) 3298LocalHeight(P, p) 3298HeightPairing(P, Q: -) 3299HeightPairingMatrix(S: -) 3299HeightPairingMatrix(E: -) 3299Regulator(S) 3299Regulator(E) 3299SilvermanBound(E) 3300SiksekBound(E: -) 3300IsLinearlyIndependent(P, Q) 3301IsLinearlyIndependent(S) 3301ReducedBasis(S) 3301

103.8.7 Two-Descent and Two-Coverings 3302

TwoDescent(E : -) 3303AssociatedEllipticCurve(f) 3303AssociatedEllipticCurve(C) 3303TwoIsogenyDescent(E : -) 3304LiftDescendant(C) 3304QuarticIInvariant(q) 3304QuarticJInvariant(q) 3304QuarticG4Covariant(q) 3304QuarticG6Covariant(q) 3304QuarticHSeminvariant(q) 3304QuarticPSeminvariant(q) 3304QuarticQSeminvariant(q) 3304QuarticRSeminvariant(q) 3304QuarticNumberOfRealRoots(q) 3305QuarticMinimise(q) 3305QuarticReduce(q) 3305IsEquivalent(f,g) 3305

103.8.8 The Cassels-Tate Pairing . . . . 3305

CasselsTatePairing(C, D) 3305

103.8.9 Four-Descent . . . . . . . . . 3306

FourDescent(f : -) 3306FourDescent(C : -) 3306AssociatedEllipticCurve(qi) 3307AssociatedHyperellipticCurve(qi) 3307QuadricIntersection(F) 3307QuadricIntersection(P, F) 3307QuadricIntersection(E) 3308QuadricIntersection(C) 3308IsQuadricIntersection(C) 3308PointsQI(C, B : -) 3308TwoCoverPullback(H, pt) 3308TwoCoverPullback(f, pt) 3308FourCoverPullback(C, pt) 3308

103.8.10 Eight-Descent . . . . . . . . . 3309

EightDescent(C : -) 3309

103.8.11 Three-Descent . . . . . . . . 3310

ThreeDescent(E : -) 3311ThreeSelmerGroup(E : -) 3312ThreeDescentCubic(E, α : -) 3313ThreeIsogenyDescent(E : -) 3313ThreeIsogenySelmerGroups(E : -) 3314ThreeIsogenyDescentCubic(φ, α) 3314Jacobian(C) 3315ThreeSelmerElement(E, C) 3315ThreeSelmerElement(C) 3315AddCubics(cubic1, cubic2 : -) 3315ThreeTorsionType(E) 3315ThreeTorsionPoints(E : -) 3316ThreeTorsionMatrices(E, C) 3316

103.8.12 Heegner Points . . . . . . . . 3316

HeegnerPoint(E : -) 3316HeegnerPoint(C : -) 3317HeegnerPoint(f : -) 3317ModularParametrization(E, z, B : -) 3317ModularParametrization(E, z : -) 3317ModularParametrization(E, Z, B : -) 3317ModularParametrization(E, Z : -) 3318ModularParametrization(E, f, B : -) 3318ModularParametrization(E, f : -) 3318ModularParametrization(E, F, B : -) 3318ModularParametrization(E, F : -) 3318HeegnerDiscriminants(E,lo,hi) 3318HeegnerForms(E,D : -) 3318HeegnerForms(N,D : -) 3319ManinConstant(E) 3319HeegnerTorsionElement(E) 3319HeegnerPoints(E, D : -) 3319

103.8.13 Analytic Information . . . . . 3323

Periods(E: -) 3323RealPeriod(E: -) 3323EllipticExponential(E, z) 3323EllipticExponential(E, S) 3323EllipticLogarithm(P: -) 3324EllipticLogarithm(E, S) 3324pAdicEllipticLogarithm(P, p: -) 3324RootNumber(E) 3325RootNumber(E, p) 3325AnalyticRank(E) 3325ConjecturalRegulator(E) 3325ConjecturalRegulator(E, v) 3325ModularDegree(E) 3326

103.9 Integral and S-integral Points 3327

103.9.1 Integral Points . . . . . . . . 3328

IntegralPoints(E) 3328IntegralQuarticPoints(Q) 3328IntegralQuarticPoints(Q, P) 3329

103.9.2 S-integral Points . . . . . . . 3329

SIntegralPoints(E, S) 3329SIntegralQuarticPoints(Q, S) 3330SIntegralLjunggrenPoints(Q, S) 3330


SIntegralDesbovesPoints(Q, S) 3330

103.10 Elliptic Curve Database . . 3331

EllipticCurveDatabase(: -) 3331CremonaDatabase(: -) 3331SetBufferSize(D, n) 3331LargestConductor(D) 3332ConductorRange(D) 3332# 3332NumberOfCurves(D) 3332NumberOfCurves(D, N) 3332NumberOfCurves(D, N, i) 3332NumberOfIsogenyClasses(D, N) 3332EllipticCurve(D, N, I, J) 3332EllipticCurve(D, N, S, J) 3332EllipticCurve(D, S) 3332EllipticCurve(S) 3332Random(D) 3332CremonaReference(D, E) 3332CremonaReference(E) 3332EllipticCurves(D, N, I) 3333EllipticCurves(D, N, S) 3333EllipticCurves(D, N) 3333EllipticCurves(D, S) 3333EllipticCurves(D) 3334

103.11 Curves over Number Fields . 3334


BadPlaces(E) 3335BadPlaces(E, L) 3335Conductor(E) 3335LocalInformation(E, P) 3335LocalInformation(E) 3335Reduction(E, p) 3335RootNumber(E, P) 3335RootNumber(E) 3336

103.11.2 Complex Multiplication . . . . 3336

HasComplexMultiplication(E) 3336

103.11.3 Torsion Information . . . . . . 3336

TorsionBound(E, n) 3336pPowerTorsion(E, p) 3336TorsionSubgroup(E) 3336

103.11.4 Heights . . . . . . . . . . . 3336

NaiveHeight(P) 3336Height(P : -) 3337HeightPairingMatrix(P : -) 3337LocalHeight(P, Pl : -) 3337

103.11.5 Selmer Groups . . . . . . . . 3337

DescentMaps(phi) 3338CasselsMap(phi) 3338SelmerGroup(phi) 3339TwoSelmerGroup(E) 3339RankBound(E) 3340

103.11.6 Mordell–Weil Group . . . . . . 3342

MordellWeilSubgroup(E) 3342

PseudoMordellWeilGroup(E) 3342

103.11.7 Elliptic Curve Chabauty . . . . 3343

Chabauty(MWmap, Ecov, p) 3343

103.11.8 Auxiliary functions for etale alge-bras . . . . . . . . . . . . . 3345

AbsoluteAlgebra(A) 3345pSelmerGroup(A, p, S) 3346LocalTwoSelmerMap(P) 3346LocalTwoSelmerMap(A, P) 3346

103.12 Morphisms . . . . . . . . 3347

103.12.1 Creation Functions . . . . . . 3347

Isomorphism(E, F, [r, s, t, u]) 3347Isomorphism(E, F) 3347Automorphism(E, [r, s, t, u]) 3348IsomorphismData(I) 3348IsIsomorphism(I) 3348IsomorphismToIsogeny(I) 3348TranslationMap(E, P) 3349RationalMap(i, t) 3349TwoIsogeny(P) 3349IsogenyFromKernel(G) 3350IsogenyFromKernelFactored(G) 3350IsogenyFromKernel(E, psi) 3350IsogenyFromKernelFactored(E, psi) 3350PushThroughIsogeny(I, v) 3350PushThroughIsogeny(I, G) 3350DualIsogeny(phi) 3351

103.12.2 Structure Operations . . . . . 3351

IsogenyMapPsi(I) 3351IsogenyMapPsiMulti(I) 3351IsogenyMapPsiSquared(I) 3351IsogenyMapPhi(I) 3352IsogenyMapPhiMulti(I) 3352IsogenyMapOmega(I) 3352Kernel(I) 3352Degree(I) 3352

103.12.3 The Endomorphism Ring . . . . 3352

MultiplicationByMMap(E, m) 3352IdentityIsogeny(E) 3352IdentityMap(E) 3352FrobeniusMap(E, i) 3352FrobeniusMap(E) 3352

103.12.4 The Automorphism Group . . . 3353

IdentityMap(E) 3353NegationMap(E) 3353* 3353

103.12.5 Predicates on Isogenies . . . . . 3353

IsZero(I) 3353IsConstant(I) 3353eq 3353

103.13 The formal group law . . . 3354


FormalGroupLaw(E, prec) 3354FormalGroupHomomorphism(phi, prec) 3354FormalLog(E) 3354

103.14 Curves over p-adic Fields . . 3354


Conductor(E) 3354LocalInformation(E) 3354RootNumber(E) 3355

103.15 Bibliography . . . . . . . 3355

Chapter 103

ELLIPTIC CURVES

103.1 IntroductionThis chapter describes features provided for working with elliptic curves in Magma. Itcontains basic functionality for curves over fairly general fields, and also specialised func-tions for curves over the rationals and number fields. There are separate chapters dealingwith specialised functions for curves over finite fields, and over univariate function fields.

An elliptic curve E is the projective closure of the curve given by the generalizedWeierstrass equation

y2 + a1xy + a3y = x3 + a2x2 + a4x + a6,

and is specified by the sequence [a1, a2, a3, a4, a6] of coefficients, or alternatively by thetwo element sequence [a4, a6] when a1 = a2 = a3 = 0.

Elliptic curve functionality covers both elementary invariants of curves and arithmeticin the group of rational points, as well as higher level features for computing local invari-ants, heights, and Mordell–Weil groups for curves over Q, and for point counting and thedetermination of the group structure over Fq. The base ring of elliptic curves is currentlyrestricted to fields. Curves over the rationals have special features to allow the constructionof integral and minimal models, and for base change to finite fields, in acknowledgementof the integral structure over Z or Zp.

For curves over the rationals or over number fields, there are routines for determiningminimal models, and we implement Tate’s algorithm for determining Kodaira symbols andvarious local invariants. Algorithms for the computation of the Mordell–Weil group areheavily based on publications of John Cremona; see [Cre97] for details. There are alsoseparate implementations of 2-descent (over number fields), and 3-descent and 4-descent(over the rationals). For curves over the rationals, several aspects of the analytic theory(including modular parametrizations and Heegner points) are implemented.

Elliptic curves are specialised forms of the more general curve and scheme types, andas such all functions which apply to these general types work on elliptic curves (althougha few of them behave differently for elliptic curves). Some of these functions are describedhere, but not all of them — refer to chapters 98 (Schemes) and 99 (Curves) for descriptionsof these functions, as well as an explanation of the relationships between points, point sets,and schemes. In particular, note that the parent of a point is a point set, and not the curve.

The name of the category of elliptic curves is CrvEll, with points of type PtEll lying inpoint sets of type SetPtEll. There is also the category SchGrpEll for subgroup schemes ofelliptic curves, and a special category SymKod exists for the datatype of Kodaira symbols,classifying the local structure of the special fibre at p of the Neron model of an ellipticcurve E/Q.


This chapter, the first of three on elliptic curves, begins with a treatment of the basicsfor curves over general fields: their construction, their arithmetic and their basic prop-erties. The chapter then presents the wide range of techniques available for determininginformation about the group of rational points for curves over Q and over number fields.Specialised machinery provided for elliptic curves over finite fields is described in Chapter104, while elliptic curves over function fields are discussed in Chapter 105.

103.2 Creation Functions

103.2.1 Creation of an Elliptic CurveAn elliptic curve E may be created by specifying Weierstrass coordinates for the curveover a field K, where integer coordinates are interpreted as elements of Q. Note that thecoordinate ring K defines the base point set of E, and points defined over an extensionfield of K must be created in the appropriate point set.

EllipticCurve([a, b])

EllipticCurve([a1, a2, a3, a4, a6])

Given a sequence of elements of a ring K, this function creates the elliptic curve Eover K defined by taking the elements of the sequence as Weierstrass coefficients.The length of the sequence must either be two, that is s = [a, b], in which case E isdefined by y2 = x3 + ax + b, or five, that is s = [a1, a2, a3, a4, a6], in which case Eis given by y2 + a1xy + a3y = x3 + a2x

2 + a4x + a6. Currently K must be field; ifintegers are given, they will be coerced into Q. The given coefficients must define anonsingular curve; that is, the discriminant of the curve must be nonzero.

EllipticCurve(f)

EllipticCurve(f, h)

Given polynomials f and h, this function creates the elliptic curve defined by y2 +h(x)y = f(x), or by y2 = f(x) if h is not given. The polynomial f must be monicof degree 3 and h must have degree at most 1.

EllipticCurveFromjInvariant(j)

EllipticCurveWithjInvariant(j)

Given a ring element j, this function creates an elliptic curve E over K with j-invariant equal to j defined as follows: If j = 0 and K does not have characteristic3 then E is defined by y2 + y = x3; if j = 1728 then E is defined by y2 = x3 + x(which covers the case where j = 0 and K has characteristic 3); otherwise j−1728 isinvertible in K, and E is defined by y2 +xy = x3− (36/(j− 1728))x− 1/(j− 1728).


Example H103E1

We create one particular elliptic curve over Q in three different ways:

> EllipticCurve([1, 0]);

Elliptic Curve defined by y^2 = x^3 + x over Rational Field

> Qx<x> := PolynomialRing(Rationals());

> EllipticCurve(x^3 + x);


> EllipticCurveWithjInvariant(1728);


EllipticCurve(C)

Verbose EllModel Maximum : 3

Given a scheme C describing a curve of genus 1 with an easily recognised rationalpoint, the function returns an elliptic curve E, together with a birational map fromC to E. If there is no “obvious” rational point then this routine will fail. C mustbelong to one of the following classes:

(i) Hyperelliptic curves of genus 1 of the form

C : y2 + h(x)y = f(x)

with f of degree 3 or 4 and h of degree at most 1. If the function x on C hasa rational branch point then that point is sent to the origin on E. Otherwise,if C has a rational point at x = ∞ then that point is used.

(ii) Nonsingular plane curves of degree 3. If the curve is already in generalWeierstrass form up to a permutation of the variables, then this is recognisedand used as a model for the elliptic curve. Otherwise the base field of thecurve must have characteristic different from 2 and 3; in this case, the curveis tested for having a rational flex. If it has, then a linear transformationsuffices to get the curve into general Weierstrass form, and this is used.

(iii) Singular plane curves of degree 4 over a base field of characteristic differentfrom 2 with a unique cusp, with the tangent cone meeting the curve only atthat point. Up to linear transformation, these are curves of type

y2 = f(x),

with f of degree 4. Such curves are brought into the standard form above.If either a rational point exists with x = 0 or the curve intersects the line atinfinity in a rational point, then that point is used to put the curve in generalWeierstrass form.


EllipticCurve(C, P)


Given a scheme C describing a curve of genus 1 with a nonsingular rational point P ,the function returns an elliptic curve E, together with a birational map sending thesupplied point to the origin on E.

If C is a plane curve of degree 3 over a base field having characteristic differentfrom 2 and 3 then particular tricks are tried. If the supplied point is a flex then alinear transformation is used. Otherwise, Nagell’s algorithm [Nag28], also describedin [Cas91], is used.

If C is a plane curve of degree 4 over a base field of characteristic different from2 with a unique cusp and a tangent cone that meets the curve only in that cusp,then a construction in [Cas91] is used.

In all other cases, C has to be a plane curve and a Riemann–Roch computationis used. This is potentially very expensive.

EllipticCurve(C, pl)


Given a plane curve C of genus 1 and a place pl of degree 1, the function returnsan elliptic curve E together with a birational map from C to E.

This routine uses a (potentially expensive) Riemann–Roch computation. Thisis different to the routine that takes a point instead of a place, which uses specialmethods when the curve has degree 3 or 4.

SupersingularEllipticCurve(K)

Given a finite field K, the function returns a representative supersingular ellipticcurve.

Example H103E2

In the following example Nagell’s algorithm is applied.

> P2<X, Y, Z> := ProjectiveSpace(Rationals(), 2);

> C := Curve(P2, X^3 + Y^2*Z - X*Y*Z - Z^3);

> pt := C![0, 1, 1];

> time E1, phi1 := EllipticCurve(C, pt);

Time: 0.070

> E1;

Elliptic Curve defined by y^2 = x^3 - 5/16*x^2 + 1/32*x + 15/1024 over Rational

Field

Whereas this next call (given a place) is forced to do the Riemann–Roch computation.

> time E2, phi2 := EllipticCurve(C, Place(pt));

Time: 0.120

> E2;


Elliptic Curve defined by y^2 + 1024*y = x^3 + 16*x^2 over Rational Field

Not surprisingly, the specialised code is faster. It is also better for another reason — the returnedmap has a known inverse, while this is not the case for the map returned by the general algorithm.

> phi1;

Mapping from: Crv: C to CrvEll: E1

with equations :

9/8*X^2 - 1/4*X*Y

-1/8*X^2 + 1/4*X*Y + 13/16*X*Z - 1/8*Y*Z - 1/8*Z^2

X^2 - 2*X*Y + 2*X*Z

and inverse

$.1^2 - 3/16*$.1*$.3 + 1/128*$.3^2

1/2*$.1^2 + $.1*$.2 - 15/32*$.1*$.3 + 9/256*$.3^2

$.1*$.2 + 1/8*$.1*$.3 - 1/8*$.2*$.3 - 1/64*$.3^2

> phi2;

Mapping from: Crv: C to CrvEll: E2

with equations :

-64*X^2*Y + 64*X^2*Z - 128*X*Y^2 + 256*X*Y*Z - 128*X*Z^2 + 64*Y^2*Z - 64*Y*Z^2

256*X^2*Y + 256*X^2*Z + 1024*X*Y*Z - 1024*X*Z^2 + 1792*Y^2*Z - 4352*Y*Z^2 +

2048*Z^3

Y^3 - 3*Y^2*Z + 3*Y*Z^2 - Z^3

Example H103E3

In this example the starting curve is less clearly elliptic. Since this curve does not match any ofthe special forms described the Riemann–Roch computation will be used.

> P2<X, Y, Z> := ProjectiveSpace(Rationals(), 2);

> C := Curve(P2, X^3*Y^2 + X^3*Z^2 - Z^5);

> Genus(C);

1

> pt := C![1, 0, 1];

> E, toE := EllipticCurve(C, pt);

> E;

Elliptic Curve defined by y^2 = x^3 + 3*x^2 + 3*x over Rational Field

> toE;

Mapping from: Crv: C to CrvEll: E

with equations :

-3*X^2*Z + 3*X*Z^2

-3*X^2*Y

X^2*Z - 2*X*Z^2 + Z^3


103.2.2 Creation Predicates

IsEllipticCurve([a, b])

IsEllipticCurve([a1, a2, a3, a4, a6])

The function returns true if the given sequence of ring elements defines an ellipticcurve (in other words, if the discriminant is nonzero). When true, the elliptic curveis also returned.

IsEllipticCurve(C)

Given a hyperelliptic curve, the function returns true if C has degree 3. Whentrue, the function also returns the elliptic curve, and isomorphisms to and from it.This function is deprecated and will be removed in a later release. Instead, useDegree(C) eq 3, and EllipticCurve(C).

Example H103E4

We check a few small primes to see which ones make certain coefficients define an elliptic curve.

> S := [ p : p in [1..20] | IsPrime(p) ];

> for p in S do

> ok, E := IsEllipticCurve([GF(p) | 1, 1, 0, -3, -17 ]);

> if ok then print E; end if;

> end for;

Elliptic Curve defined by y^2 + x*y = x^3 + x^2 + 1 over GF(3)

Elliptic Curve defined by y^2 + x*y = x^3 + x^2 + 10*x + 9 over GF(13)

Elliptic Curve defined by y^2 + x*y = x^3 + x^2 + 14*x over GF(17)

103.2.3 Changing the Base RingThe following general scheme functions provide a convenient way to generate a new ellipticcurve similar to an old one but defined over a different field. Some care must be taken,however: if the result is not a valid elliptic curve then the functions will still succeed butthe object returned will be a general curve rather than an elliptic curve.

BaseChange(E, K)

BaseExtend(E, K)

Given an elliptic curve E defined over a field k, and a field K which is an extensionof k, return an elliptic curve E′ over K using the natural inclusion of k in K to mapthe coefficients of E into K.

ChangeRing(E, K)

Given an elliptic curve E defined over a field k, and a field K, return an elliptic curveE′ over K by using the standard coercion from k to K to map the coefficients of Einto K. This is useful when there is no appropriate ring homomorphism between kand K (e.g., when k = Q and K is a finite field).


BaseChange(E, h)

BaseExtend(E, h)

Given an elliptic curve E over a field k and a ring map h : k → K, return an ellipticcurve E′ over K by applying h to the coefficients of E.

BaseChange(E, n)

BaseExtend(E, n)

The base extension of the elliptic curve E over a finite field to its degree n extension.

Example H103E5

> K1 := GF(23);

> K2 := GF(23,2);

> f := hom<K1 -> K2 | >;

> E1 := EllipticCurve([K1 | 1, 1]);

> E2 := EllipticCurve([K2 | 1, 1]);

> assert E2 eq BaseExtend(E1, K2);

> assert E2 eq BaseExtend(E1, f);

> assert E2 eq BaseExtend(E1, 2);

> // this is illegal, since K1 is not an extension of K2

> BaseExtend(E2, K1);

>> BaseExtend(E2, K1);

^

Runtime error in ’BaseExtend’: Coercion of equations is not possible

> assert E1 eq ChangeRing(E2, K1); // but this is OK

103.2.4 Alternative ModelsGiven an elliptic curve E, there are standard alternative models for E that may be ofinterest. Each of the functions in this section returns an isomorphic curve E′ that is thedesired model, together with the isomorphisms E → E′ and E′ → E.

NOTE: the second isomorphism is now completely redundant as it is the inverse of thefirst; in a later release only the first will be returned.

WeierstrassModel(E)

Given an elliptic curve E, this function returns an isomorphic elliptic curve E′ insimplified Weierstrass form y2 = x3 + ax + b. It does not apply when the base ringof E has characteristic 2 or 3 (in which case such a simplified form may not exist).

IntegralModel(E)

Given an elliptic curve E defined over a number field K (which may be Q), thisfunction returns an isomorphic elliptic curve E′ defined over K with integral coeffi-cients.


SimplifiedModel(E)

A simplified model of the elliptic curve E is returned. If E is defined over Qthis has the same effect as MinimalModel below. Otherwise, if the characteristicof the base ring is different from 2 and 3, the simplified model agrees with theWeierstrassModel. For characteristics 2 and 3 the situation is more complicated;see Ian Connell’s “The Elliptic Curve Handbook” for the definition for curves definedover finite fields.

MinimalModel(E)

Given an elliptic curve E defined over Q or a number field K with class number one,returns a global minimal model E′ for E. By definition the global minimal modelE′ is an integral model isomorphic to E over K, such that the discriminant of E′

has minimal valuation at all non-zero prime ideals π of K. (For Q, this means ithas minimal p-adic valuation at all primes p.)

Such a global minimal model is only guaranteed to exist when the class numberof K is 1 (and so one always exists when K = Q); depending on the curve, however,such a model may exist even when this is not the case. If no such minimal modelexists then a runtime error will occur.

MinimalModel(E, p)

MinimalModel(E, P)

MinimalModel(E, Pl)

UseGeneratorAsUniformiser

BoolElt Default : false

Given an elliptic curve E defined over a number field K, and a prime ideal P ,returns a curve isomorphic to E which is minimal at P . If desired, the ideal maybe specified using the corresponding place Pl of K instead. Additionally, if K is Qthen the ideal may be specified by the appropriate (integer) prime p.

For curves over number fields, when the parameter UseGeneratorAsUniformiseris set true, Magma will check whether the ideal is principal; and if so, use anideal generator as the uniformising element. This means that at other primes, thereturned model will be integral, or minimal, if the given model was.

103.2.5 Predicates on Curve Models

IsWeierstrassModel(E)

Returns true if and only if the elliptic curve E is in simplified Weierstrass form.

IsIntegralModel(E)

Returns true if and only if the elliptic curve E is an integral model.

IsSimplifiedModel(E)

Returns true if and only if the elliptic curve E is a simplified model.


IsMinimalModel(E)

Returns true if and only if the elliptic curve E is a minimal model.

IsIntegralModel(E, P)

Returns true if the defining coefficients of the elliptic curve E, a curve over a numberfield, have non-negative valuation at the prime ideal P , which must be an ideal ofan order of the coefficient ring of E.

Example H103E6

We define an elliptic curve over the rationals, find an integral model, a minimal model and anintegral model for the short Weierstrass form.

> E := EllipticCurve([1/2, 1/2, 1, 1/3, 4]);

> E;

Elliptic Curve defined by y^2 + 1/2*x*y + y = x^3 + 1/2*x^2 + 1/3*x + 4

over Rational Field

> IE := IntegralModel(E);

> IE;

Elliptic Curve defined by y^2 + 3*x*y + 216*y = x^3 + 18*x^2 + 432*x +

186624 over Rational Field

> ME := MinimalModel(IE);

> ME;

Elliptic Curve defined by y^2 + x*y + y = x^3 - x^2 + 619*x + 193645

over Rational Field

> WE := WeierstrassModel(E);

> WE;

Elliptic Curve defined by y^2 = x^3 + 9909/16*x + 6201603/32 over

Rational Field

> IWE := IntegralModel(WE);

> IWE;

Elliptic Curve defined by y^2 = x^3 + 649396224*x + 208091266154496

over Rational Field

> IsIsomorphic(IWE, ME);

true

103.2.6 Twists of Elliptic CurvesIn the following, all twists will be returned in the form of simplified models.

QuadraticTwist(E, d)

Given an elliptic curve E and an element d of the base ring, return the quadratictwist by d. This is isomorphic to E if and only if either the characteristic is 2 andthe trace of d is 0, or the characteristic is not 2 and d is a square. The routine doesnot always work in characteristic 2.


QuadraticTwist(E)

Given an elliptic curve E over a finite field, return a quadratic twist; that is, anonisomorphic curve whose trace is the negation of Trace(E).

QuadraticTwists(E)

Given an elliptic curve E over a finite field, return the sequence of nonisomorphicquadratic twists. The first of these curves is isomorphic to E.

Twists(E)

Given an elliptic curve over a finite field K, return the sequence of all nonisomorphicelliptic curves over K which are isomorphic over an extension field. The first of thesecurves is isomorphic to E.

Example H103E7

In this example we compute the quadratic twists of an elliptic curve over the finite field F13 andverify that they fall in two isomorphism classes over the base field.

> E1 := EllipticCurve([GF(13) | 3, 1]);

> E5 := QuadraticTwist(E1, 5);

> E5;

Elliptic Curve defined by y^2 = x^3 + 10*x + 8 over GF(13)

> S := QuadraticTwists(E1);

> S;

[

Elliptic Curve defined by y^2 = x^3 + 3*x + 1 over GF(13),


]

> [ IsIsomorphic(E1,E) : E in S ];

[ true, false ]

> [ IsIsomorphic(E5,E) : E in S ];

[ false, true ]

IsTwist(E, F)

Returns true if and only if the elliptic curves E and F are isomorphic over anextension field — this function only tests the j-invariants of the curves.

IsQuadraticTwist(E, F)

Returns true if and only if the elliptic curves E and F are isomorphic over aquadratic extension field, and if so, returns an element d of the base field such thatF is isomorphic to QuadraticTwist(E, d).


Example H103E8

In this example we take curves of j-invariant 0 and 123 = 12 over the finite field F13, and computeall twists. Since the automorphism groups are nontrivial, the number of twists is larger than thenumber of quadratic twists. By computing the numbers of points, we see that the curves areindeed pairwise nonisomorphic over the base field.


> jInvariant(E3);

0


> jInvariant(E4);

12

> T3 := Twists(E3);

> T3;

[

Elliptic Curve defined by y^2 = x^3 + 1 over GF(13),





Elliptic Curve defined by y^2 = x^3 + 6 over GF(13)

]

> [ #E : E in T3 ];

[ 12, 19, 21, 16, 9, 7 ]

> T4 := Twists(E4);

> T4;

[

Elliptic Curve defined by y^2 = x^3 + x over GF(13),

Elliptic Curve defined by y^2 = x^3 + 2*x over GF(13),

Elliptic Curve defined by y^2 = x^3 + 4*x over GF(13),

Elliptic Curve defined by y^2 = x^3 + 8*x over GF(13)

]

> [ #E : E in T4 ];

[ 20, 10, 8, 18 ]

Observe that exactly two of the twists are quadratic twists (as must always be the case).

> [ IsQuadraticTwist(E3, E) : E in T3 ];

[ true, false, false, true, false, false ]

> [ IsQuadraticTwist(E4, E) : E in T4 ];

[ true, false, true, false ]


MinimalQuadraticTwist(E)

Determine the minimal twist of the rational elliptic curve E. This is defined locallyprime-by-prime, and the algorithm for finding it is based on this observation. Foreach odd prime p of bad reduction, the algorithm iteratively replaces the curve byits twist by p if the latter has smaller discriminant.

For p = 2, there is no accepted definition of minimal, and the prime at infinityalso plays a role. Having handled all the odd primes, there are only twists by−1, 2, and −2 to consider. The algorithm implemented in Magma first chooses atwist with minimal 2-valuation of the conductor; this is unique precisely when this2-valuation is less than 5. [Note that others have chosen instead to minimise the2-valuation of ∆.]

The prime 2 can be eliminated at this point as was done in the case of theodd primes, leaving only the consideration of twisting the curve by −1. Here thealgorithm arbitrarily chooses the curve that has (−1)v2(c6)odd(c6) congruent to 3mod 4. The function returns as its second argument the integer d by which thecurve was twisted to obtain the minimal twist.

Example H103E9

> E:=EllipticCurve([0,1,0,135641131,1568699095683]);

> M,tw := MinimalQuadraticTwist(E);

> M,tw;

Elliptic Curve defined by y^2 + y = x^3 + x^2 + 3*x + 5 over Rational Field

7132

> MinimalModel(QuadraticTwist(M, tw));

Elliptic Curve defined by y^2 = x^3 + x^2 + 135641131*x + 1568699095683 over

Rational Field

103.3 Operations on Curves


aInvariants(E)

Coefficients(E)

ElementToSequence(E)

Eltseq(E)

Given an elliptic curve E, this function returns a sequence consisting of the Weier-strass coefficients of E; this is the sequence [a1, a2, a3, a4, a6] such that E is definedby y2z + a1xyz + a3yz2 = x3 + a2x

2z + a4xz2 + a6z3. Note that even if E was

defined by a sequence [a, b] of length two, this function returns the five coefficients(the first three being zero in that case).


bInvariants(E)

This function returns a sequence of length 4 containing the b-invariants of the ellipticcurve E, namely [b2, b4, b6, b8]. In terms of the coefficients of E these are defined by

b2 = a21 + 4a2

b4 = a1a3 + 2a4

b6 = a23 + 4a6

b8 = a21a6 + 4a2a6 − a1a3a4 + a2a

23 − a2

4.

cInvariants(E)

This function returns a sequence of length 2 containing the c-invariants of the ellipticcurve E, namely [c4, c6]. In terms of the b-invariants of E these are defined by

c4 = b22 − 24b4

c6 = −b32 + 36b2b4 − 216b6.

Discriminant(E)

This function returns the discriminant ∆ of the elliptic curve E. In terms of theb-invariants of E it is defined by

∆ = −b22b8 − 8b3

4 − 27b26 + 9b2b4b6

and there is also the relationship 1728∆ = c34 − c2

6.

jInvariant(E)

Return the j-invariant of the elliptic curve E. In terms of the c-invariants and thediscriminant of E it is defined by j = c3

4/∆. Two elliptic curves defined overthe same base field are isomorphic over some extension field exactly when theirj-invariants are equal.

HyperellipticPolynomials(E)

Returns polynomials x3 + a2x2 + a4x + a6 and a1x + a3, formed from the invariants

of the elliptic curve E.

Example H103E10

Here are a few simple uses of the above functions.

> E := EllipticCurve([0, -1, 1, 1, 0]);

> E;

Elliptic Curve defined by y^2 + y = x^3 - x^2 + x over Rational Field

> aInvariants(E);

[ 0, -1, 1, 1, 0 ]

> Discriminant(E);


-131

> c4, c6 := Explode(cInvariants(E));

> jInvariant(E) eq c4^3 / Discriminant(E);

true

Example H103E11

By constructing a generic elliptic curve we can see that the relationships described above hold.

> F<a1, a2, a3, a4, a6> := FunctionField(Rationals(), 5);

> E := EllipticCurve([a1, a2, a3, a4, a6]);

> E;

Elliptic Curve defined by y^2 + a1*x*y + a3*y = x^3 + a2*x^2 + a4*x + a6

over F

> aInvariants(E);

[

a1,

a2,

a3,

a4,

a6

]

> bInvariants(E);

[

a1^2 + 4*a2,

a1*a3 + 2*a4,

a3^2 + 4*a6,

a1^2*a6 - a1*a3*a4 + a2*a3^2 + 4*a2*a6 - a4^2

]

> b2,b4,b6,b8 := Explode(bInvariants(E));

> cInvariants(E);

[

a1^4 + 8*a1^2*a2 - 24*a1*a3 + 16*a2^2 - 48*a4,

-a1^6 - 12*a1^4*a2 + 36*a1^3*a3 - 48*a1^2*a2^2 + 72*a1^2*a4 +

144*a1*a2*a3 - 64*a2^3 + 288*a2*a4 - 216*a3^2 - 864*a6

]

> c4,c6 := Explode(cInvariants(E));

> c4 eq b2^2 - 24*b4;

true

> c6 eq -b2^3 + 36*b2*b4 - 216*b6;

true

> d := Discriminant(E);

> d;

-a1^6*a6 + a1^5*a3*a4 - a1^4*a2*a3^2 - 12*a1^4*a2*a6 + a1^4*a4^2 +

8*a1^3*a2*a3*a4 + a1^3*a3^3 + 36*a1^3*a3*a6 - 8*a1^2*a2^2*a3^2 -

48*a1^2*a2^2*a6 + 8*a1^2*a2*a4^2 - 30*a1^2*a3^2*a4 + 72*a1^2*a4*a6 +

16*a1*a2^2*a3*a4 + 36*a1*a2*a3^3 + 144*a1*a2*a3*a6 - 96*a1*a3*a4^2 -

16*a2^3*a3^2 - 64*a2^3*a6 + 16*a2^2*a4^2 + 72*a2*a3^2*a4 +


288*a2*a4*a6 - 27*a3^4 - 216*a3^2*a6 - 64*a4^3 - 432*a6^2

> d eq -b2^2*b8 - 8*b4^3 - 27*b6^2 + 9*b2*b4*b6;

true

> 1728*d eq c4^3 - c6^2;

true

103.3.2 Associated Structures

Category(E) Type(E)

Returns the category of elliptic curves, CrvEll.

BaseRing(E) CoefficientRing(E)

The base ring of the elliptic curve E; that is, the parent of its coefficients and thecoefficient ring of the default point set of E.

103.3.3 Predicates on Elliptic Curves

E eq F

Returns true if and only if the elliptic curves E and F are defined over the samering and have the same coefficients.

E ne F

The logical negation of eq.

IsIsomorphic(E, F)

Given two elliptic curves E and F this function returns true if there exists anisomorphism between E and F over the base field, and false otherwise. If E andF are isomorphic, the isomorphism is returned as a second value. This functionrequires being able to take roots in the base field.

IsIsogenous(E, F)

Given two elliptic curves E and F defined over the rationals or a finite field, thisfunction returns true if the curves E and F are isogenous over this field, and falseotherwise. In the rational case, if the curves are isogenous then the isogeny will bereturned as the second value. For finite fields, the isogeny computation operates viapoint counting, and thus no isogeny is returned.


Example H103E12

We return to the curves in the earlier quadratic twist example. By definition, these curves arenot isomorphic over their base field, but are isomorphic over a quadratic extension.

> K := GF(13);

> E := EllipticCurve([K | 3, 1]);

> E5 := QuadraticTwist(E, 5);

> IsIsomorphic(E, E5);

false

> IsIsomorphic(BaseExtend(E, 2), BaseExtend(E5, 2));

true

Since they are isomorphic over an extension, their j-invariants must be the same.

> jInvariant(E) eq jInvariant(E5);

true

103.4 Subgroup Schemes

A subgroup scheme G of an elliptic curve E is a subscheme of E defined by a univariatepolynomial ψ, and closed under the group law on E. The points of G are those pointsof E whose x-coordinate is a root of ψ. All elliptic curves are considered to be subgroupschemes with defining polynomial ψ = 0.

103.4.1 Creation of Subgroup Schemes

SubgroupScheme(G, f)

Creates the subgroup scheme of the subgroup scheme G defined by the univariatepolynomial f . No checking is done to ensure that the rational points of the resultactually do form a group under the addition law. Note that G can be an ellipticcurve.

TorsionSubgroupScheme(G, n)

Returns the subgroup scheme of n-torsion points of the subgroup scheme G. Notethat G can be an elliptic curve.



Category(G)

Type(G)

Returns the category of elliptic curve subgroup schemes, SchGrpEll.

Curve(G)

Generic(G)

Returns the elliptic curve E of which G is a subgroup scheme.

BaseRing(G)

CoefficientRing(G)

The base ring of the subgroup scheme G; this is the same as the base ring of itscurve.

DefiningSubschemePolynomial(G)

Returns the univariate polynomial that defines G as a subscheme of its curve.

103.4.3 Predicates on Subgroup Schemes

G1 eq G2

Returns true if and only if G1 and G2 are subgroup schemes of the same ellipticcurve and are defined by equal polynomials.

G1 ne G2


103.4.4 Points of Subgroup Schemes

#G

Order(G)

The order of the group of rational points on the subgroup scheme G.

FactoredOrder(G)

The factorization of the order of the group of rational points on the subgroup schemeG.

Points(G)

RationalPoints(G)

The indexed set of rational points of the subgroup scheme G over its base ring.


Example H103E13

We construct a curve over F49 and form several subgroup schemes from it.

> K<w> := GF(7,2);

> P<t> := PolynomialRing(K);


> G := SubgroupScheme(E, (t-4)*(t-5)*(t-6));

> G;

Subgroup scheme of E defined by x^3 + 6*x^2 + 4*x + 6

> Points(G);

@ (0 : 1 : 0), (6 : 1 : 1), (6 : 6 : 1), (4 : 1 : 1), (4 : 6 : 1),

(5 : 0 : 1) @

The points of order 3 form a further subgroup.

> [ Order(P) : P in $1 ];

[ 1, 3, 3, 6, 6, 2 ]

> G2 := SubgroupScheme(G, t - 6);

> G2;

Subgroup scheme of E defined by x + 1

> Points(G2);

@ (0 : 1 : 0), (6 : 1 : 1), (6 : 6 : 1) @

We can find this subgroup another way, as the intersection of the 15-torsion points of E and G.

> G3 := TorsionSubgroupScheme(E, 15);

> #G3;

15

> G4 := SubgroupScheme(G3, DefiningSubschemePolynomial(G));

> G4;


> G2 eq G4;

true

103.5 Operations on Point Sets

Each elliptic curve E has associated with it a family of point sets of E indexed by coefficientrings. These point sets, not E, are the objects in which points lie. If K is the base ringof E and L is some extension of K, then the elements of the point set E(L) comprise allpoints lying on E whose coordinates are in L.

There is a distinguished point set E(K) of E which is called the base point set of E.Many intrinsics (such as #, or TorsionSubgroup), strictly speaking, only make sense whenapplied to point sets; as a convenience, when E is passed to these functions the behaviouris the same as if the base point set E(K) were passed instead. It is important to remember,however, that E and E(K) are different objects and will not always behave in the samemanner.


The above statements are equally valid if the elliptic curve E is replaced by somesubgroup scheme G. Moreover, the types of the point sets of G and E are the same, andsimilarly for points. (They may be distinguished by checking the type of the scheme ofwhich they are point sets.)

103.5.1 Creation of Point Sets

E(L)

PointSet(E, L)

Given an elliptic curve E (or a subgroup scheme thereof) and an extension L of itsbase ring, this function returns a point set whose elements are points on E withcoefficients in L.

E(m)

PointSet(E, m)

Given an elliptic curve E (or a subgroup scheme thereof) and a map m from thebase ring of E to a field L, this function returns a point set whose elements arepoints on E with coefficients in L. The map is retained to permit coercions betweenpoint sets.


Category(H)

Type(H)

Returns the category of point sets of elliptic curves, SetPtEll.

Scheme(H)

Returns the associated scheme (either an elliptic curve or a subgroup scheme) ofwhich H is a point set.

Curve(H)

Returns the associated elliptic curve that contains Scheme(H).

Ring(H)

The ring that contains the coordinates of points in H.


103.5.3 Predicates on Point Sets

H1 eq H2

Returns whether the two point sets are equal. That is, whether the point sets haveequal coefficient rings and elliptic curves (subgroup schemes).

H1 ne H2


Example H103E14

We create an elliptic curve E over GF(5) and then construct two associated point sets:

> K := GF(5);


> H := E(K);

> H;

Set of points of E with coordinates in GF(5)

> H2 := E(GF(5,2));

> H2;

Set of points of E with coordinates in GF(5^2)

We note that although these are point sets of the same curve, they are not equal because the ringsare not equal.

> Scheme(H) eq Scheme(H2);

true

> Ring(H) eq Ring(H2);

false

> H eq H2;

false

Similarly, we see that a point set of a subgroup scheme is not the same object as the point set ofthe curve because the schemes are different.

> P<t> := PolynomialRing(K);

> G := SubgroupScheme(E, t - 2);

> HG := G(K);

> Scheme(HG) eq Scheme(H);

false

> Ring(HG) eq Ring(H);

true

> HG eq H;

false

Also note that the scheme and the parent curve of point sets of G are different:

> Scheme(HG);


> Curve(HG);

Elliptic Curve defined by y^2 = x^3 + x over GF(5)


103.6 Operations on PointsPoints on an elliptic curve over a field are given in terms of projective coordinates: a point(a, b, c) is equivalent to (x, y, z) if and only if there exists an element u (in the field ofdefinition) such that ua = x, ub = y, and uc = z. The equivalence class of (x, y, z) isdenoted by the projective point (x : y : z). At least one of the projective coordinates mustbe nonzero. We call the coefficients normalized if either z = 1, or z = 0 and y = 1.

103.6.1 Creation of PointsIn this section the descriptions will refer to a point set H, which is either the H in thesignature or the base point set of the elliptic curve E in the signature.

H ! [x, y, z] elt< H | x, y, z >

E ! [x, y, z] elt< E | x, y, z >

Given a point set H = E(R) and coefficients x, y, z in R satisfying the equationfor E, return the normalized point P = (x : y : z) in H. If z is not specified it isassumed to be 1.

H ! 0 Id(H) Identity(H)

E ! 0 Id(E) Identity(E)

Return the normalized identity point (0 : 1 : 0) of the point set H on the ellipticcurve E.

Points(H, x)

Points(E, x)

Returns the sequence of points in the pointset H on the elliptic curve E whosex-coordinate is x.

Points(H) RationalPoints(H)

Points(E) RationalPoints(E)

Bound RngIntElt Default : 0NPrimes RngIntElt Default : 30DenominatorBound RngIntElt Default : Bound

Given a point set H or an elliptic curve E over the rationals, a number field or afinite field, an indexed set of the rational points in the set is returned. If the pointset is over the rationals or a number field, then a positive value for the parameterBound must be given; this function then returns those points whose naive height isbounded by Bound.

If E is over a number field, the parameters NPrimes and DenominatorBound maybe given. The parameter NPrimes controls the number of primes which are used andDenominatorBound the size of the denominators used. A sieve method, describedin Appendix A of [Bru02], is used.


PointsAtInfinity(H)

PointsAtInfinity(E)

Returns the indexed set containing the identity point of the pointset H or on theelliptic curve E.


IsPoint(H, S)

IsPoint(E, S)

Returns true if the sequence of values in S are the coordinates of a point in thepointset H or on the elliptic curve E, false otherwise. If this is true, then thecorresponding point is returned as the second value.

IsPoint(H, x)

IsPoint(E, x)

Returns true if x is the x-coordinate of a point in the pointset H or on the ellipticcurve E, false otherwise. If this is true, then a corresponding point is returned asthe second value. Note that the point at infinity of H will never be returned.

103.6.3 Access Operations

P[i]

Access the i-th coefficient for an elliptic curve point P , for 1 ≤ i ≤ 3.

ElementToSequence(P)

Eltseq(P)

Given a point P on an elliptic curve, this function returns a sequence of length 3consisting of its coefficients (normalized).


Category(P)

Type(P)

Given a point P on an elliptic curve, this function returns the category of ellipticcurve points, PtEll.

Parent(P)

Given a point P on an elliptic curve, this function returns the parent point set forP .

Scheme(P)

Curve(P)

Given a point P on an elliptic curve or scheme, this function returns the correspond-ing scheme or elliptic curve for the parent point set of P .


103.6.5 ArithmeticThe points on an elliptic curve over a field form an abelian group, for which we use theadditive notation. The identity element is the point O = (0 : 1 : 0).

-P

The additive inverse of the point P on an elliptic curve E.

P + Q

Returns the sum P + Q of two points P and Q on the same elliptic curve.

P +:= Q

Given two points P and Q on the same elliptic curve, set P equal to their sum.

P - Q

Returns the difference P −Q of two points P and Q on the same elliptic curve.

P -:= Q

Given two points P and Q on the same elliptic curve, set P equal to their difference.

n * P

Returns the n-th multiple of the point P on an elliptic curve.

P *:= n

Set the point P equal to the n-th multiple of itself.

103.6.6 Division Points

P / n

Given a point P on an elliptic curve E and an integer n, this function returns apoint Q on E such that P = nQ, if such a point exists. If no such point exists aruntime error results.

P /:= n

Given a point P on an elliptic curve E and an integer n, this function sets P equalto a point Q on E such that P = nQ, if such a point exists. If no such point existsa runtime error results.

DivisionPoints(P, n)

Given a point P on an elliptic curve E and an integer n, this function returns thesequence of all points Q on E such that P = nQ holds. If there are no such points,an empty sequence is returned.

IsDivisibleBy(P, n)

Given a point P on an elliptic curve E and an integer n, this function returns trueif P is n-divisible, and if so, an n-division point. Otherwise false is returned.


Example H103E15

> E := EllipticCurve([1, 0, 0, 12948, 421776]);

> P := E![ -65498304*1567, -872115836268, 1567^3 ];

> DivisionPoints(P, 3);

[ (312 : -6060 : 1), (-30 : -66 : 1), (216 : 3540 : 1) ]

Note that P has three three-division points — this tells us that there are three 3-torsion pointsin E. In fact, there are 9 points in the torsion subgroup.

> DivisionPoints(E!0, 9);

[ (0 : 1 : 0), (24 : 852 : 1), (24 : -876 : 1), (-24 : -300 : 1), (-24 : 324 : 1),

(600 : 14676 : 1), (600 : -15276 : 1), (132 : 2040 : 1), (132 : -2172 : 1) ]

Example H103E16

We construct some points in a certain elliptic curve over Q and try by hand to find a “smaller”set of points that generate the same group.

> E := EllipticCurve([0, 0, 1, -7, 6]);

> P1 := E![ 175912024457 * 278846, -41450244419357361, 278846^3 ];

> P2 := E![ -151 * 8, -1845, 8^3 ];

> P3 := E![ 36773 * 41, -7036512, 41^3 ];

> P1; P2; P3;

(175912024457/77755091716 : -41450244419357361/21681696304639736 : 1)

(-151/64 : -1845/512 : 1)

(36773/1681 : -7036512/68921 : 1)

Now we try small linear combinations in the hope of finding nicer looking points. We shall omitthe bad guesses and just show the good ones.

> P1 + P2;

(777/3364 : 322977/195112 : 1)

Success! We replace P1 with this new point and keep going.

> P1 +:= P2;

> P2 + P3;

(-3 : 0 : 1)

> P2 +:= P3;

> P3 - P1;

(-1 : -4 : 1)

> P3 -:= P1;

> P1 - 2*P2;

(0 : 2 : 1)

> P1 -:= 2*P2;

> [ P1, P2, P3 ];

[ (0 : 2 : 1), (-3 : 0 : 1), (-1 : -4 : 1) ]

The pairwise reductions no longer help, but there is a smaller point with x-coordinate 1:

> IsPoint(E, 1);


true (1 : 0 : 1)

After a small search we find:

> P1 - P2 - P3;

(1 : 0 : 1)

> P2 := P1 - P2 - P3;

> [ P1, P2, P3 ];

[ (0 : 2 : 1), (1 : 0 : 1), (-1 : -4 : 1) ]

Using a naive definition of “small” these are the smallest possible points. (Note that there arepoints of smaller canonical height.) These points are in fact the generators of the Mordell–Weilgroup for this particular elliptic curve. Since none of the transformations changed the size of thespace spanned by the points it follows that the original set of points are also generators of E.However, the reduced points form a much more convenient basis.

Example H103E17

We construct an elliptic curve over a function field (hence an elliptic surface) and form a “generic”point on it. First, we construct the function field.

> E := EllipticCurve([GF(97) | 1, 2]);

> K<x, y> := FunctionField(E);

Now we lift the curve to be over its own function field, and form a generic point on E.

> EK := BaseChange(E, K);

> P := EK![x, y, 1];

> P;

(x : y : 1)

> 2*P;

((73*x^4 + 48*x^2 + 93*x + 73)/(x^3 + x + 2) : (85*x^6 + 37*x^4 + 5*x^3

+ 60*x^2 + 96*x + 8)/(x^6 + 2*x^4 + 4*x^3 + x^2 + 4*x + 4)*y : 1)

Finally, we verify that addition of the generic point defines the addition law on the curve.

> m2 := MultiplicationByMMap(E, 2);

> P := E![ 32, 93, 1 ];

> m2(P);

(95 : 63 : 1)

> 2*P;

(95 : 63 : 1)


103.6.7 Point Order

Order(P)

Given a point on an elliptic curve defined over Q or a finite field, this functioncomputes the order of P ; that is, the smallest positive integer n such that n ·P = Oon the curve. If no such positive n exists, then 0 is returned to indicate infiniteorder. If the curve is defined over a finite field, the order of the curve will first becomputed.

FactoredOrder(P)

Given a point on an elliptic curve defined over Q or over a finite field, this functionreturns the factorization of the order of P . If the curve is over a finite field thenon repeated applications this is generally much faster than factorizing Order(P)because the factorization of the order of the curve will be computed and stored. Anerror ensues if the curve is defined over Q and P has infinite order.

Example H103E18

We show a few simple operations with points on an elliptic curve over a large finite field.

> E := EllipticCurve([GF(NextPrime(10^12)) | 1, 1]);

> Order(E);

1000001795702

> FactoredOrder(E);

[ <2, 1>, <7, 1>, <13, 1>, <19, 1>, <31, 1>, <43, 1>, <59, 1>, <3677, 1> ]

> P := E ! [652834414164, 320964687531, 1];

> P;

(652834414164 : 320964687531 : 1)

> IsOrder(P, Order(E));

true

> FactoredOrder(P);

[ <2, 1>, <7, 1>, <13, 1>, <19, 1>, <31, 1>, <43, 1>, <59, 1>, <3677, 1> ]

> FactoredOrder(3677 * 59 * P);

[ <2, 1>, <7, 1>, <13, 1>, <19, 1>, <31, 1>, <43, 1> ]

103.6.8 Predicates on Points

IsId(P)

IsIdentity(P)

IsZero(P)

Returns true if and only if the point P is the identity point of its point set, falseotherwise.


P eq Q

Returns true if and only if P and Q are points on the same elliptic curve and havethe same normalized coordinates.

P ne Q


P in H

Given a point P , return true if and only if P is in the point set H. That is, itsatisfies the equation of E and its coordinates lie in R, where H = E(R).

P in E

Given a point P , return true if and only if P is on the elliptic curve E (i.e., satisfiesits defining equation). Note that this is an exception to the general rule, in that Pdoes not have to lie in the base point set of E for this to be true.

IsOrder(P, m)

Returns true if and only if the point P has order m. If you believe that you knowthe order of the point then this intrinsic is likely to be much faster than just callingOrder.

IsIntegral(P)

Given a point P on an elliptic curve defined over Q, this function returns true ifand only if the coordinates of the (normalization of) P are integers.

IsSIntegral(P, S)

Given a point P on an elliptic curve defined over Q and a sequence S of primes,this function returns true if and only if the coordinates of the (normalization of) Pare S-integers. That is, the denominators of x(P ) and y(P ) are only supported byprimes of S.

Example H103E19

We find some integral and S-integral points on a well-known elliptic curve.

> E := EllipticCurve([0, 17]);

> P1 := E![ -2, 3 ];

> P2 := E![ -1, 4 ];

> S := [ a*P1 + b*P2 : a,b in [-3..3] ];

> #S;

49

> [ P : P in S | IsIntegral(P) ];

[ (43 : -282 : 1), (5234 : -378661 : 1), (2 : -5 : 1), (8 : 23 : 1),

(4 : 9 : 1), (-2 : -3 : 1), (52 : -375 : 1), (-1 : -4 : 1), (-1 : 4 : 1),

(52 : 375 : 1), (-2 : 3 : 1), (4 : -9 : 1), (8 : -23 : 1), (2 : 5 : 1),

(5234 : 378661 : 1), (43 : 282 : 1) ]

> [ P : P in S | IsSIntegral(P, [2, 3]) and not IsIntegral(P) ];


[ (1/4 : 33/8 : 1), (-8/9 : 109/27 : 1), (-206/81 : -541/729 : 1),

(137/64 : 2651/512 : 1), (137/64 : -2651/512 : 1), (-206/81 : 541/729 : 1),

(-8/9 : -109/27 : 1), (1/4 : -33/8 : 1) ]

103.6.9 Weil PairingMagma contains an optimized implementation of the Weil pairing on an elliptic curve.This function is used in the computation of the group structure of elliptic curves over finitefields, making the determination of the group structure efficient.

WeilPairing(P, Q, n)

Given n-torsion points P and Q of an elliptic curve E. this function computes theWeil pairing of P and Q.

IsLinearlyIndependent(S, n)

Given a sequence S of points of an elliptic curve E such that each point has orderdividing n, this function returns true if and only if the points in S are linearlyindependent over Z/nZ.

IsLinearlyIndependent(P, Q, n)

Given points P and Q of an elliptic curve E, this function returns true if and onlyif P and Q form a basis of the n-torsion points of E.

Example H103E20

We compute the Weil pairing of two 3-torsion points on the curve y2 = x3 − 3 over Q.

> E := EllipticCurve([0,-3]);

> E;

> P1, P2, P3 := Explode(ThreeTorsionPoints(E));

> P1;

(0 : 2*zeta_3 + 1 : 1)

> Parent(P1);

Set of points of E with coordinates in Cyclotomic Field

of order 3 and degree 2

> Parent(P2);

Set of points of E with coordinates in Number Field with

defining polynomial X^3 - 18*X - 30 over the Rational Field

In order to take the Weil pairing of two points, we need to coerce them into the same point set.This turns out to be a point set over a number field K of degree 6.

> Qmu3 := Ring(Parent(P1));

> K<w> := CompositeFields(Ring(Parent(P1)), Ring(Parent(P2)))[1];

> wp := WeilPairing( E(K)!P1, E(K)!P2, 3 );

> wp;

1/975*(14*w^5 + 5*w^4 - 410*w^3 - 620*w^2 + 3964*w + 8744)


> Qmu3!wp;

zeta_3

103.7 PolynomialsThe torsion or division polynomials are the polynomials defining the subschemes of n-torsion points on the elliptic curve.

DefiningPolynomial(E)

The homogeneous defining polynomial for the elliptic curve E.

DivisionPolynomial(E, n)

DivisionPolynomial(E, n, g)

Given an elliptic curve E and an integer n, returns the n-th division polynomialas a univariate polynomial over the base ring of E. If n is even, this polynomialhas multiplicity two at the nonzero 2-torsion points of the curve. The second returnvalue is the n-th division polynomial, divided by the univariate 2-torsion polynomialif n is even. The third argument is the cofactor, equal to the univariate 2-torsionpolynomial if n is even, and 1 otherwise.

If a polynomial is passed as a third argument, the division polynomial is com-puted efficiently modulo that polynomial.

TwoTorsionPolynomial(E)

Returns the multivariate 2-torsion polynomial 2y + a1x + a3 of the elliptic curve E,as a bivariate polynomial.

Example H103E21

Let E be an elliptic curve over a finite field K. The following code fragment illustrates therelationship between the roots in K of the n-th division polynomial for E, and the x-coordinatesof the points of n-torsion on E.

> K := GF(101);

> E := EllipticCurve([ K | 1, 1]);

> Roots(DivisionPolynomial(E, 5));

[ <86, 1>, <46, 1> ]

> [ P : P in RationalPoints(E) | 5*P eq E!0 ];

[ (86 : 34 : 1), (0 : 1 : 0), (46 : 25 : 1), (86 : 67 : 1), (46 : 76 : 1) ]

It is worth noting that even if the roots of the division polynomial lie in the field, the correspondingpoints may not, lying instead in a quadratic extension.

> Roots(DivisionPolynomial(E, 9));

[ <4, 1>, <17, 1>, <28, 1>, <34, 1>, <77, 1> ]

> Points(E, 4);

[]


> K2<w> := ext<K | 2>;

> Points(E(K2), 4);

[ (4 : 82*w + 57 : 1), (4 : 19*w + 44 : 1) ]

> Order($1[1]);

9

103.8 Curves over the Rationals

The functions in this section are only defined for elliptic curves over Q. Some of themrequire the curve to have integral coefficients; such a curve may be obtained by usingIntegralModel or, more usefully, MinimalModel.

Parts of the section on elliptic curves over number fields, in particular the functionalityfor Selmer groups, may also be of interest for curves over Q.

103.8.1 Local Invariants

Conductor(E)

The conductor of the elliptic curve E defined over Q.

BadPrimes(E)

Given an elliptic curve E defined over Q, return the sequence of primes dividing theminimal discriminant of E. These are the primes at which the minimal model for Ehas bad reduction; note that there may be other primes dividing the discriminantof the given model of E.

TamagawaNumber(E, p)

Given an elliptic curve E defined over Q and a prime number p, this function returnsthe local Tamagawa number of E at p, which is the index in E(Qp) of the subgroupE0(Qp) of points with nonsingular reduction modulo p. For any prime p that is ofgood reduction for E, this function returns 1.

TamagawaNumbers(E)

Given an elliptic curve E defined over Q, this function returns the sequence ofTamagawa numbers at each of the bad primes of E, as defined above.

LocalInformation(E, p)

Given an elliptic curve E defined over Q and a prime number p, this function returnsthe local information at the prime p as a tuple of the form < P, vpd, fp, cp, K, split >,consisting of p, its multiplicity in the discriminant, its multiplicity in the conductor,the Tamagawa number at p, the Kodaira symbol, and finally a boolean which isfalse iff the curve has nonsplit multiplicative reduction. The second object returnedis a local minimal model for E at p.


LocalInformation(E)

Given an elliptic curve E this function returns a sequence of tuples of the kinddescribed above, for the primes dividing the discriminant of E.

ReductionType(E, p)

Returns a string describing the reduction type of E at p; the possibilities are “Good”,“Additive”, “Split multiplicative” or “Nonsplit multiplicative”. These correspondto the type of singularity (if any) on the reduced curve. This function is necessaryas the Kodaira symbols (see below) do not distinguish between split and unsplitmultiplicative reduction.

FrobeniusTraceDirect(E, p)

Given a rational elliptic curve E and a prime p, this function provides an efficientway to directly compute the trace of Frobenius (without having to create GF (p),coercing E into this field, etc). The argument p is not checked to be prime.

TracesOfFrobenius(E, B)

The sequence of traces of Frobenius ap(E), of the reduction mod p of E, for allprimes p up to B. This function is very carefully optimised.

103.8.2 Kodaira SymbolsKodaira symbols have their own type SymKod. Apart from the two functions that determinesymbols for elliptic curves, there is a special creation function and a comparison operatorto test Kodaira symbols.

KodairaSymbol(E, p)

Given an elliptic curve E defined over Q and a prime number p, this function returnsthe reduction type of E modulo p in the form of a Kodaira symbol.

KodairaSymbols(E)

Given an elliptic curve E defined over Q, this function returns the reduction typesof E modulo the bad primes in the form of a sequence of Kodaira symbols.

KodairaSymbol(s)

Given a string s, return the Kodaira symbol it represents. The values of s thatare allowed are: "I0", "I1", "I2", ..., "In", "II", "III", "IV", and "I0*", "I1*","I2*", ..., "In*", "II*", "III*", "IV*". The dots stand for "Ik" with k a positiveinteger. The ‘generic’ type "In" allows the matching of types "In" for any integern > 0 (and similarly for "In*").


h eq k

Given two Kodaira symbols h and k, this function returns true if and only if eitherboth are identical, or one is generic (of the form "In", or "In*") and the other isspecific of the same type: "In" will compare equal with any of "I1", "I2", "I3",etc., and "In*" will compare equal with any of "I1*", "I2*", "I3*", etc. Notehowever that "In" and "I3" are different from the point of view of set creation.

h ne k


Example H103E22

We search for curves with a particular reduction type ‘I0*’ in a family of curves.

> S := [ ];

> for n := 2 to 200 do

> E := EllipticCurve([n, 0]);

> for p in BadPrimes(E) do

> if KodairaSymbol(E, p) eq KodairaSymbol("I0*") then

> Append(~S, <p, n>);

> end if;

> end for;

> end for;

> S;

[ <3, 9>, <3, 18>, <5, 25>, <3, 36>, <3, 45>, <7, 49>, <5, 50>,

<3, 63>, <3, 72>, <5, 75>, <3, 90>, <7, 98>, <3, 99>, <5, 100> ]

103.8.3 Complex Multiplication

HasComplexMultiplication(E)

Given an elliptic curve E over the rationals (or a number field), the function deter-mines whether the curve has complex multiplication or not and, if so, also returnsthe discriminant of the CM quadratic order. The algorithm uses fairly straightfor-ward analytic methods, which are not suited to very high degree j-invariants withCM by orders with discriminants more than a few thousand.


103.8.4 Isogenous Curves

IsogenousCurves(E)

The set of curves Q-isogenous to a rational elliptic curve E. The method used isto proceed prime-by-prime. Mazur’s Theorem restricts the possibilities to a shortlist, and j-invariant considerations leave only p-isogenies for p = 2, 3, 5, 7, 13 to beconsidered. For p = 2 or 3, the method proceeds by finding the rational roots of thep-th division polynomial for the curve E. From these roots, one can then recover theisogenous curves. The question as to whether or not there is a p-isogeny is entirelya function of the j-invariant of the curve, and this idea is used for p = 5, 7, 13. Inthese cases the algorithm first takes a minimal twist of the elliptic curve, and thenfinds rational roots of the polynomial of degree (p + 1) that comes from a fibre ofX0(p). The isogenous curves of the minimal twist corresponding to these roots arethen computed, and then these curves are twisted back to get the isogenous curvesof E. In all cases, if the conductor is squarefree, some small values of the Frobeniustraces are checked mod p to ensure the feasibility of a p-isogeny. Other similarideas involving checking congruences are also used to try to eliminate the possibilityof a p-isogeny without finding roots. Tree-based methods are used to extend theisogeny tree from (say) 2-isogenies to 4-isogenies to 8-isogenies, etc. The integerreturned as a second argument corresponds to the largest degree of a cyclic isogenybetween two curves in the isogeny class. The ordering of the list of curves returnedis well-defined; the first curve is always the curve of minimal Faltings height, andthe heights generically increase upon going down the list. However, when there areisogenies of two different prime degrees, a different ordering is used. In the casewhere there is a 4-isogeny (or a certain type of 9-isogeny), there is an arbitrarychoice made on the bottom tree leaves in order to make the ordering consistent.

FaltingsHeight(E)

Precision RngIntElt Default :

Compute the Faltings height of a rational elliptic curve. This is given by− 1

2 log Vol(E) where Vol(E) is the volume of the fundamental parallelogram.

Example H103E23

First we compute isogenous curves using DivisionPolynomial; in this special case we obtain theentire isogeny class by considering only 3-isogenies directly from E.

> E:=EllipticCurve([1,-1,1,1,-1]);

> F:=Factorization(DivisionPolynomial(E,3));

> I:=IsogenyFromKernel(E,F[1][1]); I;

Elliptic Curve defined by y^2 + x*y + y = x^3 - x^2 - 29*x - 53 over Rational

Field

> I:=IsogenyFromKernel(E,F[2][1]); I;

Elliptic Curve defined by y^2 + x*y + y = x^3 - x^2 - 14*x + 29 over Rational


Field

Alternatively, we can get the IsogenousCurves directly. Note that IsogenyFromKernel also re-turns the map between the isogenous curves as a second argument.

> IsogenousCurves(E);

[

Elliptic Curve defined by y^2 + x*y + y = x^3 - x^2 + x - 1 over Rational

Field,

Elliptic Curve defined by y^2 + x*y + y = x^3 - x^2 - 29*x - 53 over

Rational Field,

Elliptic Curve defined by y^2 + x*y + y = x^3 - x^2 - 14*x + 29 over

Rational Field

]

9

103.8.5 Mordell–Weil GroupThe Mordell–Weil group of an elliptic curve E over the rationals is the finitely generatedgroup of points of E with rational coordinates. As is customary in cases of this kind, thefunctions return an abstract group together with a map from that group to the curve.

Like all group functions on elliptic curves, these intrinsics really apply to a particularpoint set; the curve is identified with its base point set for the purposes of these functions.To aid exposition only the versions that take the curves are shown but an appropriatepoint set (over Q) may be used instead.

Note: Because there is no guaranteed method of calculating the rank, the rank computedin the functions below will be a lower bound but may not be known to actually be the rank.In such cases a warning message will be printed the first time the rank of a particular curveis computed. The use of RankBounds instead of Rank is recommended for this reason.

MordellWeilShaInformation(E: parameters)

DescentInformation(E: parameters)

RankOnly BoolElt Default : false

ShaInfo BoolElt Default : false

This is a special function which uses all relevant Magma machinery to obtainas much information as possible about the Mordell-Weil group and the Tate-Shafarevich group of the given elliptic curve E over Q. The tools used include2-descent, 4-descent, the Cassels-Tate pairing, 3-descent, and also analytic routineswhen the conductor of E is not too large. The information is progessively refined asthe various tools are applied, in some appropriate order, and a summary is printedat each stage. At the end, the collected information is returned in three sequences.

The first sequence returned contains lower and upper bounds on the Mordell-Weil rank of E(Q), and the second is the sequence of independent generators of the


Mordell-Weil group (including torsion) that have been found. The third sequence re-turned contains the information obtained about the Tate-Shafarevich group Sha(E):letting rn denote the largest integer such that Z/nZ is contained in Sha(E), thetuple <n, [l,u]> would indicate that the computations prove l ≤ rn ≤ u.

When RankOnly is set to true, the routine will terminate as soon as the Mordell-Weil rank has been determined, and will not attempt to find Mordell-Weil generatorsor determine the structure of Sha(E). When ShaInfo is set to true, the routinewill probe the structure of Sha(E) by all available means; otherwise (by default) itwill terminate as soon as the rank and generators of the Mordell-Weil group havebeen found.

Rank(E: parameters)

MordellWeilRank(E: parameters)

Bound RngIntElt Default : 150Given an elliptic curve E defined over Q, this function returns the rank of theMordell–Weil group of E.

The general procedure to calculate the rank involves searching for rational pointson certain homogeneous spaces represented by equations of the form y2 = ax4+bx3+cx2 + dx + e. The parameter Bound is a bound on the numerator and denominatorof x that will be used when searching for such points.

RankBounds(E: parameters)

MordellWeilRankBounds(E: parameters)

Bound RngIntElt Default : 150Given an elliptic curve E defined over Q, this computes and returns lower and upperbounds on the rank of the Mordell–Weil group of E. The parameter Bound is asdescribed in the intrinsic Rank. This function will not generate the usual warningmessage if the upper and lower bounds are not equal.

AbelianGroup(E: parameters)

MordellWeilGroup(E: parameters)

Bound RngIntElt Default : 150HeightBound RngIntElt Default : 15

The Mordell–Weil group of an elliptic curve E defined over Q. The function returnstwo values: an abelian group A and a map m from A to E. The map m providesan isomorphism between the abstract group A and the Mordell–Weil group.

The parameter Bound is used during the rank computation part of the algorithm,and has the same meaning as described in the intrinsic Rank, above. The groupcomputation involves searching for points on E up to a certain (naive) height. Theparameter HeightBound is used to limit this search as the rigorous bounds maynot be feasible. When the HeightBound is less than the rigorous bound, a warning


message is printed. In this situation, the user may wish to also use Saturation (seebelow).

Saturation(points, n)

OmitPrimes [ RngIntElt ] Default : []Check BoolElt Default : true

Given a sequence of points on an elliptic curve E over the rationals, and an integern, this function returns a sequence of points generating a subgroup of E(Q) whichcontains the given points and which is p-saturated for all primes p up to n. (Asubgroup S is p-saturated in a group G if there is no intermediate subgroup H forwhich the index [H : S] is finite and divisible by p.)

If OmitPrimes is set to be a sequence of primes, then the group is not checkedto be p-saturated for those primes. If Check is set to false, the given sequenceof points are assumed to be independent modulo torsion (equivalently, their heightpairing is assumed to be non-degenerate).

TorsionSubgroup(E)

Given an elliptic curve E defined over Q, this function returns an abelian group Aisomorphic to the torsion subgroup of the Mordell–Weil group, and a map from thisabstract group A to the elliptic curve providing the isomorphism. By a theorem ofMazur, A is either Ck (for k in 1..10 or 12) or C2 ×C2k (for k in 1..4). If thereare two generators then the first generator returned in this case will have order 2.

Generators(E)

Given an elliptic curve E defined over Q, this function returns generators for theMordell–Weil group of E, in the form of a sequence of points of E. The i-th elementof the sequence corresponds to the i-th generator of the group as returned by thefunction MordellWeilGroup; the generators of the torsion subgroup will come first(in the order described in TorsionSubgroup), followed by the points of infinite order.

NumberOfGenerators(E)

Ngens(E)

The number of generators of the group of rational points of the elliptic curve E; thisis simply the length of the sequence returned by Generators(E).

Example H103E24


> E;

Elliptic Curve defined by y^2 = x^3 + 73*x over Rational Field

> Factorization(Integers() ! Discriminant(E));

[ <2, 6>, <73, 3> ]

> BadPrimes(E);

[ 2, 73 ]


> LocalInformation(E);

[ <2, 6, 6, 1, II>, <73, 3, 2, 2, III> ]

> G, m := MordellWeilGroup(E);

> G;

Abelian Group isomorphic to Z/2 + Z + Z

Defined on 3 generators

Relations:

2*G.1 = 0

> Generators(E);

[ (0 : 0 : 1), (36 : 222 : 1), (657/4 : 16863/8 : 1) ]

> 2*m(G.1);

(0 : 1 : 0)

Example H103E25

Here is a curve with moderately large rank; we do not attempt to compute the full group sincethat would be quite time-consuming.

> E := EllipticCurve([0, 0, 0, -9217, 300985]);

> T, h := TorsionSubgroup(E);

> T;

Abelian Group of order 1

> time RankBounds(E);

7 7

Time: 0.070

This curve was well-behaved in that the computed lower and upper bounds on the rank are thesame, and so we know that we have computed the rank exactly. Here is a curve where that is notthe case:

> E := EllipticCurve([0, -1, 0, -140, -587]);

> time G, h := MordellWeilGroup(E);

Warning: rank computed (2) is only a lower bound

(It may still be correct, though)

Time: 0.090

> RankBounds(E);

2 4

The difficulty here is that the Tate–Shafarevich group of E is not trivial, and this blocks the2-descent process used to compute the rank. We can compute the AnalyticRank of the curve tobe 2, but this is only conjecturally equal to the rank. In cases like this, higher level descents mayprovide a more definitive answer; the machinery for two- and four-descents described in the nexttwo sections can be used to confirm that the rank is indeed 2. In any case, we can certainly getthe group with rank equal to the lower bound.

> G;

Abelian Group isomorphic to Z + Z

Defined on 2 generators (free)

> S := Generators(E);

> S;


[ (-6 : -1 : 1), (-7 : 1 : 1) ]

> [ Order(P) : P in S ];

[ 0, 0 ]

> h(G.1) eq S[1];

true

> h(G.2) eq S[2];

true

> h(2*G.1 + 3*G.2);

(-359741403/57729604 : 940675899883/438629531192 : 1)

> 2*S[1] + 3*S[2];

(-359741403/57729604 : 940675899883/438629531192 : 1)

As mentioned above, the rank of this curve is actually 2, so we have computed generators for thefull group of E.

103.8.6 Heights and Height PairingThese functions require that the corresponding elliptic curve has integral coefficients.

NaiveHeight(P)

WeilHeight(P)

Given a point P = (a/b, c/d, 1) on an elliptic curve E defined over Q with integralcoefficients, this function returns the naive (or Weil) height h(P ) whose definitionis h(P ) = log max|a|, |b|.

Height(P: parameters)

CanonicalHeight(P: parameters)


Given a point P on an elliptic curve E defined over Q with integral coefficients, thisfunction returns the canonical height h(P ).

One definition of h(P ) is h(P ) = limn→∞ 4−nh(2nP ), although this is of limitedcomputational use. A more useful computational definition is as the sum of localheights: h(P ) =

∑p≤∞ hp(P ), where the sum ranges over each prime p and the

so-called ‘infinite prime’. Each of these local heights can be evaluated fairly simply,and in fact most of them are 0. The function always uses a minimal model for theelliptic curve internally, as otherwise the local height computation could fail.

LocalHeight(P, p)


Given a point P on an elliptic curve E defined over Q with integral coefficients, thisfunction returns hp(P ), the local height of P at p as described in Height above.The integer p must be either a prime number or 0; in the latter case the height atthe infinite prime is returned.


HeightPairing(P, Q: parameters)


Given two points P,Q on the same elliptic curve defined over Q with integral co-efficients, this function returns the height pairing of P and Q, which is defined byh(P, Q) = (h(P + Q)− h(P )− h(Q))/2.

HeightPairingMatrix(S: parameters)

HeightPairingMatrix(E: parameters)


Given a sequence of points on an elliptic curve defined over Q with integral coeffi-cients, this function returns the height pairing matrix. If an elliptic curve is passedto it, the corresponding matrix for the Mordell–Weil generators is returned.

Regulator(S)


Given a sequence of points S on an elliptic curve E over Q, this function returnsthe determinant of the Neron-Tate height pairing matrix of the sequence.

Regulator(E)


Given an elliptic curve E this function returns the regulator of E; i.e., the determi-nant of the Neron-Tate height pairing matrix of a basis of the free quotient of theMordell–Weil group.

Example H103E26

> E := EllipticCurve([0,0,1,-7,6]);

> P1, P2, P3 := Explode(Generators(E));

> Height(P1);

0.6682051656519279350331420509

> IsZero(Abs(Height(2*P1) - 4*Height(P1)));

true

> BadPrimes(E);

[ 5077 ]

The local height of a point P at a prime is 0 except possibly at the bad primes of E, the ‘infinite’prime, and those primes dividing the denominator of the x-coordinate of P . Since these generatorshave denominator 1 we see that only two local heights need to be computed to find the canonicalheights of these points.

> P2;

(2 : 0 : 1)

> LocalHeight(P2, 0);

0.7670433553315462057954506466

> LocalHeight(P2, 5077);


0.0000000000000000000000000000

> Height(P2);

0.7670433553315462057954506466

The above shows that the local height at a bad prime may still be zero.

SilvermanBound(E)

Given an elliptic curve E over Q with integral coefficients, this function returns theSilverman bound BSilv of E. For any point P on E we will have h(P ) − h(P ) ≤BSilv.

SiksekBound(E: parameters)

Torsion BoolElt Default : false

Given an elliptic curve E over Q which is a minimal model, this function returns areal number B such that for any point P on E h(P )− h(P ) ≤ B. In many cases,the Siksek bound is much better than the Silverman bound.

If the parameter Torsion is true then a potentially better bound BTor is com-puted, such that for any point P on E there exists a torsion point T so thath(P + T )− h(P ) ≤ BTor . Note that h(P + T ) = h(P ).

Example H103E27

We demonstrate the improvement of the Siksek bound over the Silverman bound for the threeexample curves from Siksek’s paper [Sik95].

> E := EllipticCurve([0, 0, 0, -73705, -7526231]);

> SilvermanBound(E);

13.00022113685530200655193

> SiksekBound(E);

0.82150471924479497959096194911

> E := EllipticCurve([0, 0, 1, -6349808647, 193146346911036]);


21.75416864448061105008

> SiksekBound(E);

0.617777290687848386342334921728509577480

> E := EllipticCurve([1, 0, 0, -5818216808130, 5401285759982786436]);


27.56255914401769757660

> SiksekBound(E);

15.70818965430290161142481294545

This last curve has a torsion point, so we can further improve the bound:

> T := E![ 1402932, -701466 ];

> Order(T);

2

> SiksekBound(E : Torsion := true);


11.0309876231179839831829512652688

Here is a point which demonstrates the applicability of the modified bound.

> P := E![ 14267166114 * 109, -495898392903126, 109^3 ];

> NaiveHeight(P) - Height(P);

12.193000709615680011116868901084

> NaiveHeight(P + T) - Height(P);

2.60218831527724007036

IsLinearlyIndependent(P, Q)

Given points P and Q on an elliptic curve E, this function returns true if and onlyif P and Q are independent free elements of the group of rational points of an ellipticcurve (modulo torsion points). If false, the function returns a vector v = (r, s) asa second value such that rP + sQ is a torsion point.

IsLinearlyIndependent(S)

Given a sequence of points S belonging to an elliptic curve E, this function returnstrue if and only if the points in S are linearly independent (modulo torsion). Iffalse, the function returns a vector v in the kernel of the height pairing matrix, i.e.giving a torsion point as a linear combination of the points in S.

ReducedBasis(S)

Given a sequence of points S belonging to an elliptic curve E over the rationals, thefunction returns a sequence of points that are independent modulo the torsion sub-group (equivalently, they have non-degenerate height pairing), and which generatethe same subgroup of E(Q)/Etors(Q) as points of S.

Example H103E28

We demonstrate the linear independence test on an example curve with an 8-torsion point andfour independent points. The torsion point is easily recognized and we establish the independenceof the remaining points using the height function.

> E := EllipticCurve([0,1,0,-95549172512866864, 11690998742798553808334900]);

> P0 := E![ 39860582, 2818809365988 ];

> P1 := E![ 144658748, -946639447182 ];

> P2 := E![ 180065822, 569437198932 ];

> P3 := E![ -339374593, 2242867099638 ];

> P4 := E![ -3492442669/25, 590454479818404/125 ];

> S0 := [P0, P1, P2, P3, P4];

> IsLinearlyIndependent(S0);

false (1 0 0 0 0)

> Order(P0);

8

> S1 := [P1, P2, P3, P4];



true

We now demonstrate the process of solving for a nontrivial linear dependence among points onan elliptic curve by constructing a singular matrix, forming the corresponding linear combinationof points, and establishing that the dependence is in the matrix kernel.

> M := Matrix(4, 4, [-3,-1,2,-1,3,3,3,-2,3,0,-1,-1,0,2,1,1]);

> Determinant(M);

0

> S2 := [ &+[ M[i, j]*S1[j] : j in [1..4] ] : i in [1..4] ];


false ( 5 -3 8 7)

> Kernel(M);

RSpace of degree 4, dimension 1 over Integer Ring

Echelonized basis:

( 5 -3 8 7)

Despite the moderate size of the numbers which appear in the matrix M , we note that heightis a quadratic function in the matrix coefficients. Since height is a logarithmic function of thecoefficient size of the points, we see that the sizes of the points in this example are very large:

> [ RealField(16) | Height(P) : P in S2 ];

[ 137.376951049198, 446.51954933694, 52.724183282292, 59.091649046171 ]

> Q := S2[2];

> Log(Abs(Numerator(Q[1])));

467.6598587040659411808117253

> Log(Abs(Denominator(Q[1])));

449.2554587727840583949442765

103.8.7 Two-Descent and Two-CoveringsThe two-descent process determines the locally soluble two-coverings of an elliptic curveover the rationals, giving them as hyperelliptic curves C : y2 = f(x) with f of degreefour. A separate implementation is available for the case where E admits a 2-isogeny:this involves first computing the 2-coverings for the isogeny and its dual (in this case thecovering maps have degree 2 instead of degree 4), and then lifting these to the level of a“full 2-descent”.

This section also provides some tools for manipulating such curves, including generatorsfor some rings of invariants of quartic forms, minimisation and reduction of such forms, andthe maps back to the associated elliptic curve. This functionality overlaps with the packagefor genus one models (see 106). There is a straightforward interface to the 2-Selmer groupmachinery, which also works over number fields.


TwoDescent(E : parameters)

RemoveTorsion BoolElt Default : false

RemoveGens PtEll Default :

Verbose TwoDescent Maximum : 1

Given a rational elliptic curve E, 2-descent is used to construct a sequence of hy-perelliptic curves (quartics) representing the elements of the 2-Selmer group. Thegroup structure is not preserved by this function: the intrinsic TwoSelmerGroupshould be used if this is desired. If RemoveTorsion is true, the generators of thetorsion subgroup are factored out from the set. If RemoveGens is nonempty, theimage of the specified points is factored out from the set.

AssociatedEllipticCurve(f)

AssociatedEllipticCurve(C)

E CrvEll Default :

Gives the minimal model of the elliptic curve associated with a two-covering givenas a polynomial f or a hyperelliptic curve C, along with a map from points [x, y]on the two-covering to the curve.

If an elliptic curve is given as E, this must be isomorphic to the Jacobian of C,and then the map returned will be a map to the given E.

Example H103E29

> E := EllipticCurve([0, 1, 0, -7, 6]);

> S := TwoDescent(E);

> S;

[

Hyperelliptic Curve defined by y^2 = x^4 + 4*x^3 - 2*x^2 - 20*x + 9 over

Rational Field,

Hyperelliptic Curve defined by y^2 = x^4 - x^3 - 2*x^2 + 2*x + 1 over

Rational Field,

Hyperelliptic Curve defined by y^2 = 2*x^4 - 4*x^3 - 8*x^2 + 4*x + 10 over

Rational Field

]

E has three non-trivial two-descendants, hence its rank is at most 2. The first two curves yieldobvious rational points, so we can find two independent points on E (and it has exact rank 2).

> phi([1, 1, 0]) where _,phi := AssociatedEllipticCurve(S[1]);

(1 : -1 : 1)

> phi([1, 1, 0]) where _,phi := AssociatedEllipticCurve(S[2]);

(5/4 : 7/8 : 1)


103.8.7.1 Two Descent Using Isogenies

TwoIsogenyDescent(E : parameters)

Isogeny MapSch Default :

TwoTorsionPoint PtEll Default :

Given an elliptic curve E over Q admitting a 2-isogeny φ : E′ → E, this functioncomputes 2-coverings representing the nontrivial elements of the Selmer groups ofφ and of the dual isogeny φ′ : E → E′. These coverings are given as hyperellipticcurves C : y2 = quartic(x). Six objects are returned: (i) the sequence of coveringsC of E for φ; (ii) the corresponding list of maps C → E; (iii) and (iv) the coveringsC ′ and maps C ′ → E′ for φ′; (v) and (vi) the isogenies φ and φ′ that were used.

It’s advisable to give a model for E that is close to minimal.

LiftDescendant(C)

This routine performs a higher descent on curves arising in TwoIsogenyDescent(E)on an elliptic curve E over Q. The curves obtained are 2-coverings of E in the senseof ordinary (full) TwoDescent; more precisely, they are exactly the set of 2-coveringsD for which the covering map D → E factors through C. Up to isomorphism, theyare a subset of the 2-coverings returned by TwoDescent(E). The advantage of thisapproach is that it works entirely over the base field of E, whereas TwoDescent willin general compute a class group over a quadratic extension of the base field. Theexample below explains how to recover all coverings produced by TwoDescent(E)using the 2-isogeny approach.

This function accepts any curve C in the first sequence of curves returned byTwoIsogenyDescent(E) (these are the 2-isogeny-coverings of E). More generally itaccepts any hyperelliptic curve of the form y2 = d1x

4 + cx2 + d2. A model for theassociated elliptic curve E is then y2 = x(x2 + cx + d1d2).

The function returns three objects: a sequence containing the covering curvesD, a list containing the corresponding maps D → C, and lastly the covering mapC → E from the given curve to some model of its associated elliptic curve.

103.8.7.2 Invariants

QuarticIInvariant(q) QuarticJInvariant(q)

QuarticG4Covariant(q) QuarticG6Covariant(q)

QuarticHSeminvariant(q) QuarticPSeminvariant(q)

QuarticQSeminvariant(q) QuarticRSeminvariant(q)

Compute invariants, semivariants, and covariants, as in paper [Cre01], of a givenquartic polynomial q. The G4 and G6 covariants are polynomials of degrees fourand six respectively; the I and J invariants are integers that generate the ring ofinteger invariants of the polynomial and satisfy J2 − 4I3 = 27∆(f). The names H


and P have been used for essentially the same seminvariant in different papers; theyare related by H = −P .

QuarticNumberOfRealRoots(q)

Using invariant theory, compute the number of real roots of a real quartic polynomialq.

QuarticMinimise(q)

Given a quartic q, the algorithm of [SC02] is applied to minimise q. Both theminimised quartic and the matrix that minimised it are returned.

NOTE: this algorithm may misbehave badly, going into an infinite loop, if calledfor a quartic which is not locally solvable at all non-Archimedean primes.

QuarticReduce(q)

Given a quartic q, the algorithm of [Cre99] is applied to find the reduced quarticand the matrix that reduced it.

IsEquivalent(f,g)

Determines if the quartics f and g are equivalent.

103.8.8 The Cassels-Tate PairingThe Tate–Shafarevich group of any elliptic curve E admits an alternating bilinear formon III (E) with values in Q/Z, known as the Cassels-Tate pairing. The key property isthat if III (E) is finite (as conjectured), the Cassels-Tate pairing is non-degenerate. Whenrestricted to the 2-torsion subgroup, one obtains a non-degenerate alternating bilinearform on III (E)[2]/2III (E)[4], or equivalently on Sel2(E) modulo the image of Sel4(E),with values in Z/2Z.

This means that if C and D are 2-coverings of E and the pairing (C, D) has value 1,then both C and D represent elements of order 2 in III (E), and moreover there are nolocally solvable 4-coverings of E lying above them (in other words, FourDescent(C) andFourDescent(D) would both return an empty sequence). In this sense the Cassels-Tatepairing provides the same information as 4-descent, however it can be computed moreeasily.

The algorithm implemented to compute the pairing for 2-coverings of elliptic curves isdue to Steve Donnelly, and roughly speaking, follows the “homogeneous space definition”.Notes are available on request. The only nontrivial step in the procedure is to solve a conicover the base field of E, so over Q it is quite efficient.

CasselsTatePairing(C, D)

Verbose CasselsTate Maximum : 2Computes the Cassels-Tate pairing of two 2-coverings of an elliptic curve over Q.The pairing takes values in Z/2Z. The given curves C and D must be hyperellipticcurves over Q of the form y2 = q(x) where q(x) has degree 4, and they mustadmit 2-covering maps to the same elliptic curve (equivalently, C and D must have


isomorphic AssociatedEllipticCurve). In addition, they must both be locallysolvable over all completions of Q (otherwise the pairing is not defined).

For instance C and D may be curves in the sequence returned by TwoDescent(E),for some elliptic curve E over Q.

103.8.9 Four-DescentIn a 1996 paper [MSS96], Merriman, Siksek and Smart described a four-descent algorithmfor elliptic curves over Q. This section describes the Magma implementation of thatalgorithm. Another useful reference is Tom Womack’s PhD thesis [Wom03]. Four-descentis performed on a two-cover, that is a hyperelliptic curve defined by a polynomial of degreefour, with the assumption that the quartic of this descendant does not have a rationalroot. The terminology “four-descent” is thus slightly incorrect; Magma actually performsa second descent on a specific two-cover, and does not try to combine such informationfrom all two-covers into the 4-Selmer group.

A four-covering F is a pair of symmetric 4× 4 matrices, defining an intersection of twoquadrics in P 3. Associated to F is an elliptic curve E; there is a rational map from F toE of degree 16. The four-descent process takes a two-covering curve C (something of theshape y2 = f(x) with f quartic, and possessing points over Qp for all p), and returns a setof four-coverings that arise from C.

In particular, if C represents an element of order two in the Tate–Shafarevich groupof E, then the four-descent process will return the empty set. If C represents an elementof the Mordell–Weil group, at least one of the four-coverings arising from C will have arational point — all of them will do so if the Tate–Shafarevich group of E is trivial — andonce found this point can be lifted to a point on E.

FourDescent(f : parameters)

FourDescent(C : parameters)


IgnoreRealSolubility BoolElt Default : false


RemoveGensEC PtEll Default :

RemoveGensHC PtHyp Default :

Verbose FourDescent Maximum : 3Verbose LocalQuartic Maximum : 2Verbose MinimiseFD Maximum : 2Verbose QISearch Maximum : 1Verbose ReduceFD Maximum : 2Verbose QuotientFD Maximum : 2

Performs a four-descent on the curve y2 = f(x), where f is a quartic. Returnsa set of four-coverings of size 2s−1, where s is the Selmer 2-rank of the curve. Ifthe verbose level of the main function is set to 3, then the auxiliary verbose levels


are all set to at least 1. If RemoveTorsion is true, the generators of the torsionsubgroup are factored out from the set. The optional argument RemoveGensHCperforms a quotient by the images of given points that are on the input quarticto FourDescent. The optional argument RemoveGensEC forms a quotient by theimages of given points; these can be on any elliptic curve that is isomorphic to theAssociatedEllipticCurve of the quartic (though all given points must be on thesame elliptic curve). These options can be used together.

Example H103E30

This example shows that a well-known curve has rank 0 and that the 2-torsion subgroup of itsTate–Shafarevich group is isomorphic to (Z/2Z)2.

> D := CremonaDatabase();

> E := EllipticCurve(D, 571, 1, 1);

> time td := TwoDescent(E);

Time: 2.500

> #td;

3

There are three 2-covers, so the 2-Selmer group has order four (since TwoDescent elides the trivialelement).

> time [ FourDescent(t) : t in td ];

[

[],

[],

[]

]

Time: 3.290

So none of the two-covers have four-covers lying over them; hence they all represent elements ofIII , and the Mordell–Weil rank must be zero.

AssociatedEllipticCurve(qi)

AssociatedHyperellipticCurve(qi)

E CrvEll Default :

Given an intersection of quadrics qi, return the associated elliptic and hyperellipticcurves, respectively, together with maps to them.

If an elliptic curve is given as E, this must be isomorphic to the Jacobian of thecurve qi, and then the map returned will be a map to the given E.

QuadricIntersection(F)

QuadricIntersection(P, F)

Given a pair of symmetric 4 × 4 matrices F , this function returns the associatedquadric intersection in P = P 3.


QuadricIntersection(E)

QuadricIntersection(C)

Given an elliptic curve E or a hyperelliptic curve C, write it as an intersection ofquadrics. The inverse map for the hyperelliptic curve has problems due to difficultieswith weighted projective space.

IsQuadricIntersection(C)

Given a curve C, determines if C is in P 3 and has two defining equations, bothof which involve only quadrics. In the case where C is a quadric intersection, theassociated pair of matrices are also returned.

PointsQI(C, B : parameters)

OnlyOne BoolElt Default : false

ExactBound BoolElt Default : false

Verbose QISearch Maximum : 1Given a quadric intersection C, this function searches, by a reasonably efficientmethod due to Elkies [Elk00], for a point on C of naıve height up to B; the asymp-totic running time is O(B2/3).

If OnlyOne is set to true, the search stops as soon as it finds one point; however,the algorithm is p-adic and there is no guarantee that points with small coordinatesin Z will be found first. If ExactBound is set to true, then points that are foundwith height larger than B will be ignored.

TwoCoverPullback(H, pt)

TwoCoverPullback(f, pt)

Given a two-covering of a rational elliptic curve (as either a hyperelliptic curve ora quartic) and a point on the elliptic curve, compute the pre-images on the two-covering. This is faster than using the generic machinery.

FourCoverPullback(C, pt)

Given a four-covering of a rational elliptic curve as an intersection of quadrics anda point either on the associated elliptic curve or the associated hyperelliptic curve,this function computes the pre-images on the covering. This is faster than using thegeneric machinery.

Example H103E31

This example exhibits a four-descent computation, and manipulation of points once they havebeen found, by mapping from the curve to its two- and four-covers.

> P<x> := PolynomialRing(Integers());

> E := EllipticCurve([0, -1, 0, 203, -93]);

> f := P!Reverse([-7, 12, 20, -120, 172]);

> f;


-7*x^4 + 12*x^3 + 20*x^2 - 120*x + 172

The quartic given was obtained with mwrank; the two-descent routine could have been used instead,although it provides a different (but equivalent) quartic.

> time S := FourDescent(f);

Time: 4.280

> #S;

1

The single cover indicates that the curve E has Selmer rank 1, though this was already knownfrom the calculation that constructed f .

> _,m := AssociatedEllipticCurve(S[1] : E:=E );

> pts := PointsQI(S[1], 10^4);

> pts;

[ (-5/3 : 13/3 : -34/3 : 1) ]

We now map this point back to E.

> m(pts[1]);

(2346223045599488598/1033322524668523441 :

20326609223460937753264735467/1050397899358266605692672489 : 1)

> Height($1);

44.19679596739622477261983370

103.8.10 Eight-DescentOne may perform 8-descent (ie a further 2-descent) on curves of the kind produced

by a 4-descent on an elliptic curve E over Q. These are nonsingular intersections of twoquadrics in P3 that are locally soluble. The 8-descent determines whether such a curvehas any 2-coverings (in the sense of 2-descent) that are locally soluble everywhere.

The routine can therefore be used to prove, in many cases, that a given 4-covering ofE is in fact an element of order 4 in the Tate–Shafarevich group of E. It can also be usedto find 8-coverings of E, and to verify these are elements of the 8-Selmer group.

The 8-coverings are given as intersections of three quartics in P3. The models com-puted tend to have large coefficients (in contrast with 4-descent and 3-descent), becausereduction techniques are not implemented. This means that the 8-coverings are not helpfulin searching for rational points on E.

The algorithm and (with slight modifications) the implementation are due to SebastianStamminger (see [Sta05]).

EightDescent(C : parameters)

BadPrimesHypothesis


DontTestLocalSolvabilityAt

RngIntElt Default :


StopWhenFoundPoint


Verbose EightDescent Maximum : 4

Verbose LegendresMethod Maximum : 3

For a curve C obtained from FourDescent on some elliptic curve E over Q, thisperforms a further 2-descent on C. It returns a sequence of curves D, together witha sequence containing maps D → C from each of these curves to C. The curvesreturned are precisely the 8-descendants of E that lie above C and are locally solubleat all places.

When the optional argument StopWhenFoundPoint is set to true, the computa-tion will stop if it happens to find a rational point on C, and immediately returnthe point instead of continuing to computing the 8-coverings.

In some cases local solubility testing (at large primes which may arise due tochoices made in the algorithm) can be time-consuming. Testing at specified primesmay be skipped by setting the optional argument DontTestLocalSolvabilityAtto the desired set of prime integers, or by setting BadPrimesHypothesis to betrue. In that case, certain primes are omitted from the set of bad primes (namelythose primes at which the intersection of C with an auxiliary third quadric has badreduction, and which are not bad primes for any other reason).

The algorithm involves class group and unit computations in number fields ofdegree 6. It is recommended to set the bounds to be used in all such computationsbefore calling EightDescent, via SetClassGroupBounds.

Verbose output: For a readable summary of the computation, set the verboselevel to 1 by entering SetVerbose("EightDescent",1). For full information aboutall the time-consuming steps in the process, set the verbose level to 3. For additionalinformation about solving the conic, set the verbose level for "LegendresMethod"to 2.

103.8.11 Three-DescentThree descent is implemented for elliptic curves over the rationals. This involves com-

puting the 3-Selmer group of the curve, and then representing the elements as plane cubics.There is also a separate implementation of “descent by three isogenies”, for elliptic

curves over the rationals which admit a Q-rational isogeny of degree 3.The main application of full three descent is in studying elements of order 3 in Tate–

Shafarevich groups. For the problem of determining the Mordell–Weil group, three descenthas no advantage over four descent except in special cases: the cost is greater (three descentrequires computing the class group and S-units in a degree 8 number field, compared withdegree 4 for four descent), and the reward is smaller (a point on a 3-coverings has height 1/6as large as its image on the elliptic curve, while with four descent the ratio is 1/8). Howeverthree descent can be useful when there are elements of order 4 in the Tate–Shafarevichgroup, which four descent cannot deal with.


On the other hand, for a curve with a Q-rational isogeny of degree three, descent bythree isogenies is likely to be the most efficient way to bound the Mordell–Weil rank,because it only requires class group and S-unit computations in quadratic fields.

There are two steps to the 3-descent process: firstly, computing the 3-Selmer groupas a subgroup of H1(Q, E[3]) (explicitly, as a subgroup of A×/A×3 for a suitable algebraA), and secondly, expressing the elements as genus one curves with covering maps toE. The elements of the 3-Selmer group are given as plane cubics, and the process ofobtaining these cubics is far from trivial. (Note that in general, an element of H1(Q, E[3])can only be given as a curve of degree 9 rather than degree 3). The main commandsare ThreeSelmerGroup(E), which performs the first step, and ThreeDescent(E), whichperforms both steps together, while ThreeDescentCubic performs the second step for agiven element of 3-Selmer group.

The algorithm for the first step is presented in [SS04], while the theory and algorithmsfor the second step are developed in the forthcoming series of papers [CFO+a], [CFO+b],[CFO+c]. The bulk of the code was written by Michael Stoll and Tom Fisher (however,responsibility for the final version rests with Steve Donnelly).

The following verbose flags provide information about various stages of the threedescent process: Selmer, ThreeDescent, CSAMaximalOrder, Minimise and Reduce.For instance, to see what ThreeSelmerGroup is doing while it is running, first enterSetVerbose("Selmer",2);. The verbose levels range from 0 to 3.

ThreeDescent(E : parameters)

Method MonStgElt Default : “HessePencil′′

Verbose Selmer Maximum : 3Verbose ThreeDescent Maximum : 3

Given an elliptic curve over the rationals, this function returns the elements of the3-Selmer group as projective plane cubic curves C, together with covering mapsC → E. Two objects are returned: a sequence containing one curve for each inversepair of nontrivial elements in the 3-Selmer group, and a corresponding list of mapsfrom these curves to E. (Note that a pair of inverse elements in the 3-Selmer groupboth correspond to the same cubic curve C, and their covering maps C → E differby composition with the negation map E → E.)

The function simply calls ThreeSelmerGroup(E), and then ThreeDescentCubicon the Selmer elements. Note that if ThreeSelmerGroup(E) has already been com-puted, it will not be recomputed, because the results are stored in the attributeE‘ThreeSelmerGroup.

For more information see the description of ThreeDescentCubic below.

Example H103E32

Here is Selmer’s famous example 3x3 + 4y3 + 5z3 = 0, which is an element of order 3 in theTate–Shafarevich group of its Jacobian, the elliptic curve x3 + y3 + 60z3 = 0.

> Pr2<x,y,z> := ProjectiveSpace(Rationals(),2);

> J := x^3 + y^3 + 60*z^3;


> E := MinimalModel(EllipticCurve(Curve(Pr2,J)));

> cubics, mapstoE := ThreeDescent(E);

> cubics;

[

2*x^3 - 3*y^3 + 10*z^3,

-3*x^3 + 4*y^3 - 5*z^3,

-2*x^3 + 5*y^3 + 6*z^3,

-x^3 - 2*y^3 - 30*z^3

]

The 3-Selmer group of E is isomorphic to Z/3Z ⊕ Z/3Z, and one element for each (nontrivial)inverse pair is returned. (Note: 3x3 +4y3 +5z3 will not necessarily appear; due to random choicesin the program, an equivalent model may appear instead.)The covering maps from these curves to E have degree 9, and are given by forms of degree 9 inx, y, z. For example, the map from the first curve 2x3 − 3y3 + 10z3 to E is given by:

> DefiningEquations(mapstoE[1]);

[

-1377495072000*x*y^7*z + 4591650240000*x*y^4*z^4 - 15305500800000*x*y*z^7,

24794911296000*y^9 - 123974556480000*y^6*z^3 - 413248521600000*y^3*z^6 +

918330048000000*z^9,

-4251528000*x^3*y^3*z^3

]

Since E has trivial Mordell–Weil group, we should not find any rational points on these curves!(In fact they are all nontrivial in the Tate–Shafarevich group.) Here we search for rational pointson the first cubic, up to height roughly 104:

> time PointSearch( cubics[1], 10^4);

[]

Time: 0.490

An extended example, concerning “visible” 3-torsion in a Tate–Shafarevich group, can be foundat the end of Chapter 106.

ThreeSelmerGroup(E : parameters)

ThreeTorsPts Tup Default :

MethodForFinalStep MonStgElt Default : “UseSUnits′′

CompareMethods BoolElt Default : false

Verbose Selmer Maximum : 3Given an elliptic curve E over the rationals, this function returns its 3-Selmer groupas an abelian group, together with a map to the natural affine algebra.

The parameter MethodForFinalStep can be either “Heuristic” (which is usuallymuch faster in large examples), “FindCubeRoots”, or “UseSUnits” (the default,which has the advantage that it usually takes roughly the same amount of time asthe S-unit computation that has already been performed). To try all three methodsand compare the times, set CompareMethods to true.


Most of the computation time is usually spent on class group and unit groupcomputations. These computations can be speeded up by using non-rigorousbounds, and there are two ways to control which bounds are used. The recom-mended way is to preset them using one of the intrinsics SetClassGroupBounds orSetClassGroupBoundMaps (see Section 31.6.1). The other way is to precompute theclass groups of the fields involved, setting the optional parameters in ClassGroup asdesired. (The relevant fields can be obtained as the fields over which the points inThreeTorsionPoints(E) are defined.) The fields and their class group data wouldthen be stored internally, and automatically used when ThreeSelmerGroup(E) iscalled (even when no optional parameters are provided).

When ThreeTorsPts is specified, it determines the fields used in the computa-tion, and the algebra used to express the answers.

ThreeDescentCubic(E, α : parameters)

ThreeTorsPts Tup Default :

Method MonStgElt Default : “HessePencil′′

Verbose ThreeDescent Maximum : 3Given an elliptic curve E over the rationals, and an element α in the 3-Selmer groupof E, the function returns a projective plane cubic curve C, together with a mapof schemes C → E. The cubic is a principal homogeneous space for E, and thecovering map C → E represents the same Selmer element as either α or 1/α (andα can be recovered, up to inverse, by calling ThreeSelmerElement of the cubic).

The 3-Selmer element α is given as an element of the algebra associatedto the 3-Selmer group (the algebra is the codomain of the map returned byThreeSelmerGroup, as in S3, S3toA := ThreeSelmerGroup(E)). In this situation,where α is S3toA(s) for some s, there is no need to specify the optional parameterThreeTorsPts.

The algorithm comes from the series of papers cited in the introduction. Thereare three alternative ways to perform the final step of computing a ternary cubic.All three ways are implemented, and the optional parameter Method may be “Hes-sePencil” (default), “FlexAlgebra” or “SegreEmbedding”. However, the choice ofMethod is not expected to make a big difference to the running time.

The optional parameter ThreeTorsPts is a tuple containing one representativefrom each Galois orbit of E[3] \ O. Its purpose is to fix an embedding of the 3-Selmer group in A×/A×3 (otherwise there is ambiguity when the fields involvedhave nontrivial automorphisms, or occur more than once). When ThreeTorsPts isnot specified, ThreeTorsionPoints(E) is called (its value is stored internally andused throughout the Magma session).

ThreeIsogenyDescent(E : parameters)

Isog MapSch Default :

Verbose Selmer Maximum : 3Verbose ThreeDescent Maximum : 3


Given an elliptic curve E over Q that admits a Q-rational isogeny E → E1 ofdegree 3, the function performs “descent by three isogenies” on E. This involvescomputing the Selmer groups attached to the isogeny and its dual, and representingthe elements of both Selmer groups as plane cubics, with covering maps of degree 3to E1 or E respectively. One cubic is given for each nontrivial pair of inverse Selmerelements, and one covering map is given for each cubic (the other covering map,which can be obtained by composing with the negation map on the elliptic curve,would correspond to the inverse Selmer element.)

There are five returned values, in the following order: a list of curves for Sel(E →E1), a corresponding list of covering maps to E1, a list of curves for the dual isogenySelmer group Sel(E1 → E), a corresponding list of covering maps to E, and finallythe isogeny E → E1.

This function works simply by calling ThreeIsogenySelmerGroups(E), and thencalling ThreeIsogenyDescentCubic for each Selmer element.

The isogeny E → E1 may be passed in as Isog. If Isog is not specified, and Eadmits more than one such isogeny, then this is chosen at random.

ThreeIsogenySelmerGroups(E : parameters)

Isog MapSch Default :

Verbose Selmer Maximum : 3

Given an elliptic curve E over the rationals that admits a Q-rational isogeny E → E1

of degree 3, the function computes the Selmer groups associated to the isogeny, andto its dual isogeny E1 → E. The Selmer groups are returned as abstract groups,together with maps to the relevant algebra. There are five returned values, in thefollowing order: the group, and the map, for E → E1, the group, and the map, forE1 → E, and finally the isogeny E → E1.

A bound for the rank of E(Q) can be deduced, by taking the sum of the ranksof the Selmer groups for the two isogenies, and subtracting 1 if the kernel of one ofthe isogenies consists of rational points.

The isogeny E → E1 may be passed in as Isog. If Isog is not specified, and Eadmits more than one such isogeny, then this is chosen at random.

The algebra in which the Selmer group of a particular isogeny is exhibited is theetale algebra corresponding to the nontrivial points in the kernel of the dual isogeny;it is either a quadratic field, or a Cartesian product of two copies of Q.

ThreeIsogenyDescentCubic(φ, α)

Verbose ThreeDescent Maximum : 3

Given an isogeny φ of degree 3 between elliptic curves over Q, and any element α ofH1(Q, E[φ]), this function returns a plane cubic curve C representing α, togetherwith a covering map C → E of degree 3.

The element α is given as an element in the algebra A associated to theSelmer group of φ; the algebra can be obtained from ThreeIsogenySelmerGroups.


H1(Q, E[φ]) is represented as the subgroup of A×/(A×)3 consisting of elementswhose norm is a cube.

Jacobian(C)

Given the equation of a nonsingular projective plane cubic curve C over the rationals,this function returns the Jacobian of C (over the rationals) as an elliptic curve. Notethat C will be a principal homogeneous space of E.

ThreeSelmerElement(E, C)

ThreeSelmerElement(C)

Given an elliptic curve E over the rationals, and a plane cubic C with the sameinvariants as E (for instance, with E equal to Jacobian(C)) the function returns anelement α in the algebra A associated to the 3-Selmer group of E. This α representsthe same element of H1(Q, E[3]) that is represented by a covering C → E thattakes the flex points of C to O. Note that α is only determined up to inverse inH1(Q, E[3]).

In particular, if we have computed S3, S3toA := ThreeSelmerGroup(E), andif C is an everywhere locally soluble covering corresponding to the element s in S3,then α equals either S3toA(s) or S3toA(-s) in A×/(A×)3.

AddCubics(cubic1, cubic2 : parameters)

E CrvEll Default :

ReturnBoth BoolElt Default : false

Given equations of two plane cubics over the rationals with the same invariants (inother words, they are homogeneous spaces for the same elliptic curve E, which istheir Jacobian, over the rationals), the function computes the sum of the corre-sponding elements of H1(Q, E[3]). The sum is returned as another plane cubic, ifpossible (and otherwise an error results).

An element of H1(Q, E[3]) may be expressed as a plane cubic when it has index3, equivalently when the so-called “obstruction” is trivial. This is always the case forelements that are everywhere locally soluble. In particular, the function will alwayssucceed when the two given cubics are everywhere locally soluble (in other words,when they belong to the 3-Selmer group). The computation is done by convertingthe cubics to elements of H1(Q, E[3]) as given by ThreeSelmerElement, adding thecocycles, and then converting the result to a cubic.

Note that a cubic only determines an element of H1(Q, E[3]) up to taking inverse,so the sum is not well defined; if the function is called with ReturnBoth := true,it returns both of the possible cubics.

ThreeTorsionType(E)

For an elliptic curve E over the rationals, this function classifies the Galois actionon E[3]. The possibilities are “Generic”, “2Sylow”, “Dihedral”, “Generic3Isogeny”,“Z/3Z-nonsplit”, “mu3-nonsplit”, “Diagonal” and “mu3+Z/3Z”.


ThreeTorsionPoints(E : parameters)

OptimisedRep BoolElt Default : true

For an elliptic curve E over the rationals, this function returns a tuple containingone representative point from each set of Galois conjugates in E[3] \O.

Each point belongs to a point set E(L), where L is the field generated by thecoordinates of that point.

If OptimisedRep is set to false, then optimised representations of the fields willnot be computed, in general.

ThreeTorsionMatrices(E, C)

Given an elliptic curve E over the rationals, and a plane cubic with the same in-variants as E (in other words, a principal homogeneous space for E of index 3), thefunction returns a tuple of matrices. The matrices Mi correspond to the points Ti

in ThreeTorsionPoints(E), and have the corresponding base fields. Each matrixdescribes the action-by-translation on C of the corresponding point: the action ofPi on C is the restriction to C of the automorphism of the ambient projective spaceP2 given by the image of Mi in PGL3.

Note that only the images in PGL3 of the matrices are well-determined.

103.8.12 Heegner PointsFor an elliptic curve of rank 1, it is possible to compute the generator by an analytic process;the elliptic logarithm of some multiple nP of the generator is the sum of the values of themodular parameterization at a series of points in the upper half-plane corresponding toa full set of class representatives for an appropriately-chosen quadratic field. There is nosuch thing as a free lunch, sadly; the calculation requires computing O(hN) terms to aprecision of O(h) digits, so in practice it works best for curves contrived to have smallconductors.

The calculation proceeds in three stages: choosing the quadratic field Q(√−d), evaluat-

ing the modular parameterization, and recovering the generator from the elliptic logarithmvalue. Essentially, this is an implementation of the method of Gross and Zagier [GZ86];Elkies performed some substantial computations using this method in 1994, and much ofthe work required to produce this implementation was done by Cremona and Womack.

HeegnerPoint(E : parameters)

NaiveSearch RngIntElt Default : 1000Discriminant RngIntElt Default :

Cover Crv Default :

DescentPossible BoolElt Default : true

IsogenyPossible BoolElt Default : true

Traces SeqEnum Default : []Verbose Heegner Maximum : 1


Attempts to find a point on a rank 1 rational elliptic curve E using the methodof Heegner points, returning true and the point if it finds one, otherwise false.The parameter NaiveSearch indicates to what height the algorithm will first do asearch (using Points) before turning to the analytic method. The Discriminantparameter allows the user to specify an auxiliary discriminant; this must satisfythe Heegner hypothesis, and the corresponding quadratic twist must have rank 0.The Cover option allows the user to specify a 2-cover or 4-cover (perhaps obtainedfrom TwoDescent or FourDescent) to speed the calculation. This should be eithera hyperelliptic curve or a quadric intersection, and there must be a map from thecover to the given elliptic curve. If the DescentPossible option is true, then thealgorithm might perform such a descent in any case. If the IsogenyPossible optionis true, then the algorithm will first try to guess the best isogenous curve on whichto do the calculation — if a Cover is passed to the algorithm, it will be ignored if Eis not the best isogenous curve. The Traces option takes an array of integers whichcorrespond to the first however-many traces of Frobenius for the elliptic curve, thussaving having to recompute them.

The algorithm assumes that the Manin constant of the given elliptic curve is 1(which is conjectured in this case), and does not return a generator for the Mordell–Weil group, but a point whose height is that given by a conjectural extension of theGross–Zagier formula. This should be

√Sha times a generator.

HeegnerPoint(C : parameters)

HeegnerPoint(f : parameters)

NaiveSearch RngIntElt Default : 10000Discriminant RngIntElt Default :

Traces SeqEnum Default : []Verbose Heegner Maximum : 3

These are utility functions for the above. The input is either a hyperelliptic curvegiven by a polynomial of degree 4, or this quartic polynomial — in both casesthe quartic should have no rational roots — or a nonsingular intersection of twoquadrics in P3. These functions call HeegnerPoint on the underlying elliptic curve.They then map the computed point back to the given covering curve. The rationalreconstruction step of the HeegnerPoint algorithm can be quite time-consumingfor some coverings, especially if the index is large. Also, if a cover correspondsto an element of the Tate–Shafarevich group, the algorithm will likely enter aninfinite loop. These functions have not been as extensively tested as the ordinaryHeegnerPoint function, and thus occasionally might fail due to unforeseen problems.

ModularParametrization(E, z, B : parameters)

ModularParametrization(E, z : parameters)

ModularParametrization(E, Z, B : parameters)


ModularParametrization(E, Z : parameters)

Traces SeqEnum Default : []ModularParametrization(E, f, B : parameters)

ModularParametrization(E, f : parameters)

ModularParametrization(E, F, B : parameters)

ModularParametrization(E, F : parameters)

Traces SeqEnum Default : []Precision RngIntElt Default :

Given a rational elliptic curve E and a point z in the upper-half-plane, computethe modular parametrization

∫∞z

fE(τ) dτ where fE is the modular form associatedto E. The version with a bound B uses the first B terms of the q-expansion, whilethe other version determines how many terms are needed. The optional parameterTraces allows the user to pass the first however-many traces of Frobenius. Thereare also versions which take an array Z of complex points, and versions which takepositive definite binary quadratic forms f (or an array F ) rather than points in theupper-half-plane (a Precision can be specified with the latter).

HeegnerDiscriminants(E,lo,hi)

Fundamental BoolElt Default : false

Strong BoolElt Default : false

Given a rational elliptic curve and a range from lo to hi, compute the negativefundamental discriminant in this range that satisfies the Heegner hypothesis for thecurve. The Fundamental option restricts to fundamental discriminants. The Strongoption restricts to discriminants that satisfy a stronger Heegner hypothesis, namelythat ap = −1 for all primes p that divide gcd(D,N).

HeegnerForms(E,D : parameters)

UsePairing BoolElt Default : false

UseAtkinLehner BoolElt Default : true

Use wQ BoolElt Default : true

IgnoreTorsion BoolElt Default : false

Given a rational elliptic curve of conductor N and a negative discriminant thatmeets the Heegner hypothesis for N , the function computes representatives for thecomplex multiplication points on X0(N).

In general the return value is a sequence of 3-tuples (Q, m, T ) where Q is aquadratic form, m is a multiplicity, and T is a torsion point on E. Letting φ bethe modular parametrization map, the sum on E of the values m(φ(Q) + T ) is aHeegner point in E(Q). When the number of these values equals the class numberh = h(D) (and the multiplicities are all 1 or −1) then they are actually the images


on E of the CM points on X0(N). (They all correspond to a single choice of squareroot of D modulo 4N .)

If UsePairing is added, then CM points that give conjugate values under themodular parametrisation map are combined. If UseAtkinLehner is added, thenmore than one square root of D modulo 4N can be used. If Use wQ is added, thenforms can appear with extra multiplicity, due to primes that divide the GCD of theconductor and the fundamental discriminant. If IgnoreTorsion is added, then thefact that Atkin-Lehner can change the result by a torsion point will be ignored. TheUsePairing option requires that IgnoreTorsion be true.

This function requires (so as not to confuse the user) that the ManinConstantof the curve be equal to 1.

HeegnerForms(N,D : parameters)

AtkinLehner [RngIntElt] Default : []Given a level N and a discriminant that meets the Heegner hypothesis for the level,the function returns a sequence of binary quadratic forms which correspond to theHeegner points. The Atkin-Lehner option takes a sequence of q with gcd(q, N/q) = 1and has the effect of allowing more than one square root of D modulo 4N to beused.

ManinConstant(E)

Compute the Manin constant of a rational elliptic curve. This is in most casessimply a conjectural value (and most often just 1).

HeegnerTorsionElement(E)

Given a rational elliptic curve and an integer Q corresponding to an Atkin-Lehnerinvolution (so that gcd(Q,N/Q) = 1), this function computes the torsion point onthe curve corresponding to the period given by the integral from i∞ to wQ(i∞).

HeegnerPoints(E, D : parameters)

ReturnPoint BoolElt Default : false

Precision RngIntElt Default : 100Verbose Heegner Maximum : 1

Given an elliptic curve E over Q, and a suitable discriminant D (of a quadratic field)this function computes the images on E under the modular parametrization of theCM points on X0(N) associated to D. It returns a tuple 〈pD,m〉, where pD is anirreducible polynomial whose roots are the x-coordinates of these images, and wherem is the multiplicity of each of these images (the number of CM points on X0(N)mapping to a given point on E). These x-coordinates lie in the ring class field ofQ(√

D), and the class number h(D) must equal either mdeg(pD) or 2m deg(pD).The conductor of the order Q(

√D) is required to be coprime to the conductor

of E.


The second object returned by the function is one of the conjugate points, as anelement of the point set E(H) where H is the field defined by pD, or a quadraticextension of it. This step can be time consuming; if ReturnPoint is set to false,the point is not computed.

WARNING: The computation is not rigorous, as it involves computing overthe complex numbers, and then recognising the coefficients of the polynomial asrationals. However, the program performs a heuristic check: it checks that thepolynomial has the correct splitting at some small primes (sufficiently many to besure that wrong answers will not occur in practice).

Example H103E33

> time HeegnerPoint(EllipticCurve([1,0,0,312,-3008])); //uses search

true (12: -56: 1)

Time: 0.240

> time HeegnerPoint(EllipticCurve([0,0,1,-22787553,-41873464535]));

true (11003637829478432203592984661004129/1048524607168660222036584535396 :

-1004181871409718654255966342764883958203316448270339/10736628855783147946

99393270058310986889998056 : 1)

Time: 1.380

Example H103E34

Here are some more complicated examples. In the first one, the curve has a 163-isogenous curve,which the algorithm uses to speed the computation. This occurs automatically, with most of thetime taken being in computing the isogeny map.

> E := EllipticCurve([0,0,1,-57772164980,-5344733777551611]);

> b, pt:= HeegnerPoint(E);

> Height(pt);

373.478661569142379884077480412

Example H103E35

In this next example, we first use descent to get a covering on which the desired point will havesmaller height.

> E := EllipticCurve([0,-1,0,-71582788120,-7371563751267600]);

> T := TwoDescent(E : RemoveTorsion)[1];

> T;

Hyperelliptic Curve defined by y^2 = -2896*x^4 - 57928*x^3 - 202741*x^2

+ 868870*x - 651725 over Rational Field

> S := FourDescent(T : RemoveTorsion)[1];

> b, pt := HeegnerPoint(S);

> pt;

(-34940281640330765977951793/72963317481453011430052232 :

46087465795237503244048957/72963317481453011430052232 :


82501230298438806677528297/72963317481453011430052232 : 1)

We obtain a point on S, not on the original curve. We map it to E using the descent machinery.

> _, m := AssociatedEllipticCurve(S);

> PT := m(pt);

> PT;

(26935643239674824824611869793601774003477303945223677741244455058753

924460587724041316046901475913814274843012625394997597714766923750555

669810857471061235926971161094484197799515212721830555528087646969545

65/837619099331786545303500955405701693904657590793269053332825491870

645799230089011267382251975387071464373622714525213870033427638236014

2288012504288439077587496501436920044109243898570190931925860244164 :

410189886613094359515065087530226951251222017120181558101276037601794

678635473792334597914052557787798899390943937170051840037860568689664

871351793404398352109768736545284569745952273382778021947446766526118

621612003004627401344216069791103330332004546699363266079516476593864

98538303998567379869974143259174395/766601839981278884919411893932635

388671474045058772153268571977045787439290021029065740244648077391646

579430077900352635000328805236464794479797855430820809227462762666048

009219642700664370632930446228302292313415544188481623273194456758440

446505454248062292834244615276350323795396202280072306278575288 : 1)

> Height(PT);

476.811182818720336949724781780

> ConjecturalRegulator(E : Precision := 5);

476.81 1

Example H103E36

Finally, we do some Heegner point calculation with the curve 43A and the discriminant −327.Note that the obtained trace down to the rationals is 3-divisible, but the point over the Hilbertclass field is not.

> E := EllipticCurve([0,1,1,0,0]);

> HeegnerDiscriminants(E,-350,-300);

[ -347, -344, -340, -335, -331, -328, -327, -323, -319, -308, -303 ]

> HF := HeegnerForms(E,-327); HF;

[ <<43,19,4>, 1, (0 : 1 : 0)>, <<43,67,28>, 1, (0 : 1 : 0)>,

<<86,105,33>, 1, (0 : 1 : 0)>, <<86,153,69>, 1, (0 : 1 : 0)>,

<<129,105,22>, 1, (0 : 1 : 0)>, <<129,153,46>, 1, (0 : 1 : 0)>,

<<172,67,7>, 1, (0 : 1 : 0)>, <<258,363,128>, 1, (0 : 1 : 0)>,

<<258,411,164>, 1, (0 : 1 : 0)>, <<301,67,4>, 1, (0 : 1 : 0)>,

<<473,621,204>, 1, (0 : 1 : 0)>, <<473,841,374>, 1, (0 : 1 : 0)> ]

> H := [x[1] : x in HF]; mul := [x[2] : x in HF];

> params := ModularParametrization(E,H : Precision := 10);

> wparams := [ mul[i]*params[i] : i in [1..#H]];

> hgpt := EllipticExponential(E,&+wparams);

> hgpt;

[ 1.000000002 - 1.098466121E-9*I, 1.000000003 - 1.830776870E-9*I ]


> HeegnerPt := E![1,1];

> DivisionPoints(HeegnerPt, 3);

[ (0 : -1 : 1) ]

So the Heegner point is 3 times (0,−1) in E(Q). We now find algebraically one of the points(of which we took the trace to get HeegnerP t). This point will be defined over a subfield of theclass field of Q(

√−327), and will have degree dividing the class number. The poly below is theminimal polynomial of the x-coordinate.

> ClassNumber(QuadraticField(-327));

12

> poly, pt := HeegnerPoints(E, -327 : ReturnPoint);

> poly;

<t^12 + 10*t^11 + 76*t^10 - 1150*t^9 + 475*t^8 - 4823*t^7 + 997*t^6 - 5049*t^5 -

2418*t^4 - 468*t^3 - 3006*t^2 + 405*t - 675, 1>

> pt;

(u : 1/16976844562625*(58475062076*u^11 + 568781661961*u^10 + 4238812569862*u^9 -

68932294336288*u^8 + 42534102728187*u^7 - 238141610215111*u^6 +

134503848441911*u^5 - 122884262733563*u^4 - 58148031982456*u^3 +

129014145075851*u^2 - 68190988248855*u + 40320643901175) : 1)

> DivisionPoints(pt,3);

[]

Here is another example of Heegner points over class fields.

Example H103E37

> E := EllipticCurve([0,-1,0,-116,-520]);

> Conductor(E);

1460

> ConjecturalRegulator(E);

4.48887474770666173576726806264 1

> HeegnerDiscriminants(E,-200,-100);

[ -119, -111 ]

> P := HeegnerPoints(E,-119);

> P;

<1227609449333996689*t^10 - 106261506377143984603*t^9 +

2459826667693945203684*t^8 - 12539974356047058417320*t^7 -

298524708823654411408343*t^6 + 4440876684434597926161175*t^5 +

7573549099120618979833241*t^4 - 393938048860406386108113130*t^3 -

215318107135691628298668863*t^2 + 13958289016298162706904004974*t

+ 38624559371249968900024945369, 1>

The function automatically performs a heuristic check that the polynomial has the right properties,using reduction mod small primes. A more expensive check is the following.

> G := GaloisGroup( P[1] );

> IsIsomorphic(G,DihedralGroup(10));


true

The extension of Q(−119) defined by the polynomial is the class field. We now obtain a nicerepresentation of it, and use this to compute the height of the point (which is a bit quicker thancomputing the height directly).

> K := NumberField(P[1]);

> L<v>, m := OptimizedRepresentation(K);

> _<y> := PolynomialRing(Rationals()); // use ’y’ for printing

> DefiningPolynomial(L);

y^10 + 2*y^9 - y^8 - 7*y^7 - 7*y^6 + 10*y^5 + 13*y^4 - 9*y^3 - 5*y^2 +

5*y - 1

> PT := Points(ChangeRing(E,L),m(u))[1]; // y-coord is defined over L

> Height(PT);

6.97911761109714376876370533

103.8.13 Analytic Information

Periods(E: parameters)


Returns the sequence of periods of the Weierstrass ℘-function associated to theelliptic curve E, to Precision digits. The first element of the sequence is thereal period. The function accepts a non-minimal model, and returns the periodscorresponding to that model.

RealPeriod(E: parameters)


Returns the real period of the Weierstrass ℘-function associated to the elliptic curveE to Precision digits.

EllipticExponential(E, z)

Given a rational elliptic curve E and a complex number z, the function computesthe pair [℘(z), ℘′(z)] where ℘(s) is the Weierstrass ℘-function. The algorithm used istaken from [Coh93] for small precision, and Newton iteration on EllipticLogarithmis used for for high precision. The function returns a sequence rather than a pointon the curve.

EllipticExponential(E, S)

Given a rational elliptic curve E and a sequence S = [p, q], where p and q are rationalnumbers, this function computes the elliptic exponential of p times the RealPeriodand q times the imaginary period.


EllipticLogarithm(P: parameters)


Denote by ω1, ω2 the periods of the Weierstrass ℘-function related to E. Thisfunction returns the elliptic logarithm φ(P ) of the point P , such that −ω1/2 ≤Re(φ(P )) < ω1/2 and −ω2/2 ≤ Im(φ(P )) < ω2/2. The value is returned toPrecision digits. As with Periods, a non-minimal model can be given, and theEllipticLogarithm will be computed with respect to it.

EllipticLogarithm(E, S)


Check BoolElt Default : true

Given an elliptic curve E and a sequence S = [z1, z2], where z1 and z2 are complexnumbers approximating a point P on E, this function returns the elliptic logarithmφ(P ). For details see the previous intrinsic. When Check is false, z1 and z2 neednot have any relation to a point on the curve, in which case only the x-coordinatematters up to (essentially) a choice of sign in the resulting logarithm.

pAdicEllipticLogarithm(P, p: parameters)

Precision RngIntElt Default : 50For a point P on an elliptic curve E which is a minimal model and a prime p, returnsthe p-adic elliptic logarithm of P to Precision digits. The order of P must not bea power of p.

Example H103E38

Verify that EllipticExponential and EllipticLogarithm are inverses.

> C:=ComplexField(96);

> E:=EllipticCurve([0,1,1,0,0]);

> P:=EllipticExponential(E,0.571+0.221*I); P;

[ 1.656947605210186238868298175 + -1.785440180067681418618695947*I,

-2.417077284700315330385200257 + 3.894153792661208360153853530*I ]

> EllipticLogarithm(E,P);

0.5710000000000000000000000000 + 0.2210000000000000000000000000*I

Add points on a curve via Napier’s method.

> E:=EllipticCurve([0,0,1,-7,6]);

> P1:=E![0,2]; P2:=E![2,0]; P3:=E![1,0];

> L:=EllipticLogarithm(E!P1)+EllipticLogarithm(E!P2)+EllipticLogarithm(E!P3);

> L;

2.597592211301257294795208040 + 1.480548268241414993307331111*I

> P:=EllipticExponential(E,L);

> [Round(Real(x)) : x in P];

[ 4, -7 ]

> P1+P2+P3;


(4 : -7 : 1)

RootNumber(E)

Calculates the global root number of a rational elliptic curve E. This is equal to thesign of the functional equation of the L-series associated to the curve. The methodused is to take a product of local root numbers over the primes of bad reduction.

RootNumber(E, p)

Calculates the local root number at a prime p of an elliptic curve E. The methodused is due to Halberstadt; for p > 3 it is a straightforward calculation involving thevaluation of the discriminant, while for p = 2, 3 it involves a more careful analysisof the reduction type.

AnalyticRank(E)

Verbose AnalyticRank Maximum : 1

Precision RngIntElt Default : 5

Determine the analytic rank of the rational elliptic curve E. The algorithm used isheuristic, computing derivatives of the L-function L(E, s) at s = 1 until one appearsto be nonzero. Local power series methods are used to compute the special func-tions used for higher derivatives. The function returns the first nonzero derivativeL(r)(1)/r! as a second argument. The precision is optional, and is taken to be 17 bitsif omitted; the time taken can increase dramatically if this is increased much beyond50 digits as the time to compute the special functions then starts to dominate therunning time.

ConjecturalRegulator(E)


Using the AnalyticRank function, this function calculates an approximation, as-suming that the Birch–Swinnerton-Dyer conjecture holds, to the product of theregulator of the elliptic curve E and the order of the Tate–Shafarevich group. The(assumed) analytic rank is returned as a second value.

ConjecturalRegulator(E, v)

Given an elliptic curve E with L-function L(E, s) and the value v of the first nonzeroderivative L(r)(1)/r!, this function calculates an approximation, assuming that theBirch–Swinnerton-Dyer conjecture holds, to the product of the regulator of theelliptic curve E and the order of its Tate–Shafarevich group.


Example H103E39

> E:=EllipticCurve([1,1,0,-2582,48720]);

> time r, Lvalue := AnalyticRank(E : Precision:=9); r,Lvalue;

Time: 17.930

6 320.781164

> ConjecturalRegulator(E,Lvalue);

68.2713770

> time G, map := MordellWeilGroup(E : HeightBound := 8); G;

Time: 21.540

Abelian Group isomorphic to Z (6 copies)


> Regulator([map(g): g in OrderedGenerators(G)]);

68.2713769

Example H103E40

> ConjecturalRegulator(EllipticCurve([0,-1,1,0,0]) : Precision := 8);

1.0000000 0


1.00000000000000000000 0


1.0000000000000000000000000000000000 0


1.0000000000000000000000000000000000000000000000000 0

ModularDegree(E)

Verbose ModularDegree Maximum : 1Determine the modular degree of a rational elliptic curve E. The algorithm used isdescribed in [Wat02]. One computes the special value L(Sym2E, 2) of the motivicsymmetric-square L-function of the elliptic curve, and uses the formula

deg(phi) = L(Sym2E, 2)/(2 ∗ Pi ∗ Ω) ∗ (Nc2) ∗ Ep(2)

where Ω is the area of the fundamental parallelogram of the curve, N is the con-ductor, c is the Manin constant, and Ep(2) is a product over primes whose squaredivides the conductor. The Manin constant is assumed to be 1 except in the casesdescribed in [SW02], where it is conjectured that the optimal curves for parameteri-zations from X1(N) and X0(N) are different. A warning is given in these cases. Theoptimal curve for parameterizations from X1(N) is assumed to be the curve in theisogeny class of E that has minimal Faltings height (maximal Ω). The algorithm isbased upon a sequence of real-number approximations converging to an integer —the use of verbose printing for ModularDegree allows the user to see the sequenceof approximations.


Example H103E41

First we define a space of ModularForms.

> M:=ModularForms(Gamma0(389),2);

The first of the newforms associated to M corresponds to an elliptic curve.

> f := Newform(M,1); f;

q - 2*q^2 - 2*q^3 + 2*q^4 - 3*q^5 + 4*q^6 - 5*q^7 + q^9 + 6*q^10 - 4*q^11 +

O(q^12)

> E := EllipticCurve(f); E;

Elliptic Curve defined by y^2 + y = x^3 + x^2 - 2*x over Rational Field

We can compute the modular degree of this using modular symbols.

> time ModularDegree(ModularSymbols(f));

40

Time: 0.200

Or via the algorithm based on elliptic curves.

> time ModularDegree(E);

40

Time: 0.000

The elliptic curve algorithm is capable of handling examples of high level.

> E := EllipticCurve([0,0,0,0,-(10^5+3)]);

> Conductor(E);

1080064800972

> time ModularDegree(E);

1719883996992

Time: 117.870

103.9 Integral and S-integral Points

Let E be an elliptic curve defined over the rational numbers Q and denote by S =p1, . . . , ps−1,∞ a finite set of primes containing the prime at infinity. There are onlyfinitely many S-integral points on E. (That is, points where the denominators of the coor-dinates are only supported by primes in S.) Note that the point at infinity on E is neverreturned, since it is supported at every prime.

The following algorithms use the technique of linear forms in complex and p-adic ellipticlogarithms.


103.9.1 Integral Points

IntegralPoints(E)

FBasis SeqEnum[PtEll] Default :

Given an elliptic curve E over the Q, returns the sequence of all integral points,modulo negation, and followed by a sequence of tuple sequences [〈Pi,j , ni,j〉] suchthat the j-th integral point Pj is of the form Pj =

∑ri=1 ni,jPi,j . i.e., the second

return value contains representations of the points in terms of some basis.The algorithm involves first computing generators of the Mordell-Weil group,

by calling MordellWeilGroup. Alternatively, the user may precompute genera-tors (perhaps using another method, for instance HeegnerPoint) and pass themto IntegralPoints as the optional parameter FBasis. This should be a sequence,and its elements are assumed to be an independent set of generators for the Mordell-Weil group modulo torsion. (The function ReducedBasis will return a sequence withthis property.)

Example H103E42

We find all integral points on a certain elliptic curve:


> Q, reps := IntegralPoints(E);

> Q;

[ (-2 : -3 : 1), (8 : 23 : 1), (43 : -282 : 1), (4 : 9 : 1),

(2 : -5 : 1), (-1 : 4 : 1), (52 : -375 : 1), (5234 : 378661 : 1) ]

> reps;

[

[ <(-2 : -3 : 1), 1> ],

[ <(-2 : -3 : 1), 2> ],

[ <(-2 : -3 : 1), 1>, <(4 : -9 : 1), -2> ],

[ <(4 : -9 : 1), -1> ],

[ <(-2 : -3 : 1), 1>, <(4 : -9 : 1), -1> ],

[ <(-2 : -3 : 1), 1>, <(4 : -9 : 1), 1> ],

[ <(-2 : -3 : 1), 2>, <(4 : -9 : 1), 1> ],

[ <(-2 : -3 : 1), 1>, <(4 : -9 : 1), 3> ]

]

We see here that the chosen basis consists of the points (−2 : −3 : 1) and (4 : −9 : 1), and thatcoefficients which are zero are omitted.

IntegralQuarticPoints(Q)

If Q is a sequence of five integers [a, b, c, d, e] where e is a square, this function returnsall integral points (modulo negation) on the curve y2 = ax4 + bx3 + cx2 + dx + e.


IntegralQuarticPoints(Q, P)

If Q is a list of five integers [a, b, c, d, e] defining the hyperelliptic quartic y2 =ax4 + bx3 + cx2 + dx + e and P is a sequence representing a rational point [x, y],this function returns all integral points on Q.

Example H103E43

We find all integral points (modulo negation) on the curve y2 = x4 − 8x2 + 8x + 1. Since theconstant term is a square we can use the first form and do not have to provide a point as well.

> IntegralQuarticPoints([1, 0, -8, 8, 1]);

[

[ 2, -1 ],

[ -6, 31 ],

[ 0, 1 ]

]

103.9.2 S-integral Points

SIntegralPoints(E, S)

FBasis SeqEnum[PtEll] Default :

Given an elliptic curve E over the rationals and a set S of finite primes, returns thesequence of all S-integral points, modulo negation. The second return value, andthe optional parameter FBasis, are the same as in IntegralPoints.

Example H103E44

We find all S-integral points on an elliptic curve of rank 2, for the set of primes S = 2, 3, 5, 7.> E := EllipticCurve([-228, 848]);

> Q := SIntegralPoints(E, [2, 3, 5, 7]);

> for P in Q do P; end for; // Print one per line

(4 : 0 : 1)

(-11 : 45 : 1)

(16 : 36 : 1)

(97/4 : -783/8 : 1)

(-44/9 : -1160/27 : 1)

(857/4 : -25027/8 : 1)

(6361/400 : -282141/8000 : 1)

(534256 : -390502764 : 1)

(946/49 : -20700/343 : 1)

(-194/25 : -5796/125 : 1)

(34/9 : 172/27 : 1)

(814 : 23220 : 1)

(13 : 9 : 1)

(-16 : 20 : 1)


(1/4 : -225/8 : 1)

(52 : -360 : 1)

(53 : 371 : 1)

(16/49 : 9540/343 : 1)

(-16439/1024 : -631035/32768 : 1)

(34 : 180 : 1)

(-2 : 36 : 1)

(-14 : -36 : 1)

(14 : -20 : 1)

(754 : -20700 : 1)

(94/25 : -828/125 : 1)

(2 : 20 : 1)

(94 : 900 : 1)

(-818/49 : 468/343 : 1)

(49/16 : -855/64 : 1)

(196 : -2736 : 1)

(629/25 : 13133/125 : 1)

(1534/81 : -42020/729 : 1)

(8516/117649 : -1163623840/40353607 : 1)

SIntegralQuarticPoints(Q, S)

Given a sequence of integers Q = [a, b, c, d, e] where a is a square, this functionreturns all S-integral points on the quartic curve y2 = ax4 + bx3 + cx2 + dx + e forthe set S of finite primes.

SIntegralLjunggrenPoints(Q, S)

Given a sequence of integers Q = [a, b, c, d], this function returns all S-integral pointson the curve C : ay2 = bx4 + cx2 + d for the set S of finite primes, provided that Cis nonsingular.

SIntegralDesbovesPoints(Q, S)

Given a sequence of integers Q = [a, b, c, d], this function returns all S-integral pointson C : ay3 + bx3 + cxy + d = 0 for the set S of finite primes, provided that C isnonsingular.


Example H103E45

We find the points supported by [2, 3, 5, 7] on the curve 9y3 + 2x3 + xy + 8 = 0.

> S := [2, 3, 5, 7];

> SIntegralDesbovesPoints([9, 2, 1, 8], S);

[

[ 1, -1 ],

[ -94/7, 172/21 ],

[ -11/7, 2/7 ],

[ 5, -3 ],

[ 2, -4/3 ],

[ 2/7, -20/21 ],

[ -8/5, -2/15 ]

]

103.10 Elliptic Curve Database

Magma includes John Cremona’s database of all elliptic curves over Q of small conductor(up to 130 000 at V2.13 and above). This section defines the interface to that database.

For each conductor in the range stored in the database the curves with that conductorare stored in a number of isogeny classes. Each curve in an isogeny class is isogenous (butnot isomorphic) to the other curves in that class. Isogeny classes are referred to by numberrather than the alphabetic form given in the Cremona tables.

All of the stored curves are global minimal models.

EllipticCurveDatabase(: parameters)

CremonaDatabase(: parameters)

BufferSize RngIntElt Default : 10000

This function returns a database object which contains information about the el-liptic curve database and is used in the functions which access it. The optionalparameter BufferSize controls the size of an internal buffer — see the descriptionof SetBufferSize for more information.

SetBufferSize(D, n)

The elliptic curve database D uses an internal buffer to cache disk reads; if thebuffer is large enough then the entire file can be cached and will not need to beread from the disk more than once. On the other hand, if only a few curves will beaccessed then a large buffer is not especially useful. SetBufferSize can be used toset the size n (in bytes) of this buffer. There are well defined useful minimum andmaximum sizes for this buffer, and values outside this range will be treated as thenearest useful value.


LargestConductor(D)

Returns the largest conductor of any elliptic curve stored in the database. It is anerror to attempt to refer to larger conductors in the database.

ConductorRange(D)

Returns the smallest and largest conductors stored in the database. It is an errorto attempt to refer to conductors outside of this range.

#D

NumberOfCurves(D)

Returns the number of elliptic curves stored in the database.

NumberOfCurves(D, N)

Returns the number of elliptic curves stored in the database for conductor N .

NumberOfCurves(D, N, i)

Returns the number of elliptic curves stored in the database in the i-th isogeny classfor conductor N .

NumberOfIsogenyClasses(D, N)

Returns the number of isogeny classes stored in the database for conductor N .

EllipticCurve(D, N, I, J)

EllipticCurve(D, N, S, J)

Returns the J-th elliptic curve of the I-th isogeny class of conductor N from thedatabase. I may be specified either as an integer (first form) or as a label like "A"(second form).

EllipticCurve(D, S)

EllipticCurve(S)

Returns a representative elliptic curve with label S (e.g., "101a" or "101a1") fromthe specified database (or if not specified, from the Cremona database).

Random(D)

Returns a random curve from the database.

CremonaReference(D, E)

CremonaReference(E)

Returns the database reference to the minimal model for E (e.g., "101a1"). E mustbe defined over Q and its conductor must lie within the range of the database.The second form of this function must open the database for each call, so if it isbeing used many times the database should be created once and the first form usedinstead.


Example H103E46


> #D;

845960

> minC, maxC := ConductorRange(D);

> minC, maxC;

1 130000

> &+[ NumberOfCurves(D, C) : C in [ minC .. maxC ] ];

845960

These numbers agree (which is nice). The conductor in that range with the most curves is 100800.

> S := [ NumberOfCurves(D, C) : C in [ minC .. maxC ] ];

> cond := maxval + minC - 1 where _,maxval := Max(S);

> cond;

100800

> NumberOfCurves(D, cond);

924

> NumberOfIsogenyClasses(D, cond);

418

The unique curve of conductor 5077 has rank 3.

> NumberOfCurves(D, 5077);

1

> E := EllipticCurve(D, 5077, 1, 1);

> E;

Elliptic Curve defined by y^2 + y = x^3 - 7*x + 6 over Rational Field

> CremonaReference(D, E);

5077a1

> Rank(E);

3

EllipticCurves(D, N, I)

EllipticCurves(D, N, S)

Returns the sequence of elliptic curves in the I-th isogeny class for conductor Nfrom the database. I may be specified either as an integer (first form) or as a labellike "A" (second form).

EllipticCurves(D, N)

The sequence of elliptic curves for conductor N from the database.

EllipticCurves(D, S)

The sequence of elliptic curves with label S from the database. S may specify justa conductor (like "101"), or both a conductor and an isogeny class (like "101A").


EllipticCurves(D)

The sequence of elliptic curves stored in the database. Note: this function is ex-tremely slow due to the number of curves involved. Where possible it would bemuch better to iterate through the database instead (see example).

Example H103E47

Here are two ways to iterate through the database:


> &+[ Discriminant(E) : E in D ];

25508696848625065498744745352333035316167184

> sum := 0;

> for E in D do sum +:= Discriminant(E); end for;

> sum;

25508696848625065498744745352333035316167184

Now we create a random curve and find the other curves in its isogeny class.

> E := Random(D);

> E;

Elliptic Curve defined by y^2 = x^3 - 225*x over Rational Field

> Conductor(E);

7200

> CremonaReference(E);

7200bg1

> EllipticCurves(D, "7200bg");

[

Elliptic Curve defined by y^2 = x^3 - 225*x over Rational Field,

Elliptic Curve defined by y^2 = x^3 - 2475*x - 47250 over Rational Field,

Elliptic Curve defined by y^2 = x^3 - 2475*x + 47250 over Rational Field,

Elliptic Curve defined by y^2 = x^3 + 900*x over Rational Field

]

103.11 Curves over Number Fields

The functions in this section are for elliptic curves defined over number fields, includingQ. For curves over Q, they provide complementary method to those described already(with not much overlap). In particular, the algorithms related to ranks and Mordell–Weilgroups use the “algebraic” method of first determining some Selmer group, in contrast tothe search for homogeneous spaces carried out in MordellWeilGroup or Rank over Q.

The most important pieces of machinery implemented here are 2-descent and descentby 2-isogenies, and standard height machinery.



BadPlaces(E)

Given an elliptic curve E defined over a number field K, returns the places of K ofbad reduction for E. i.e., the places dividing the discriminant of E.

BadPlaces(E, L)

Given an elliptic curve E defined over a number field K and a number field L, suchthat K is a subfield of L, returns the places of L of bad reduction for E.

Conductor(E)

The conductor of the elliptic curve E defined over a number field.

LocalInformation(E, P)

UseGeneratorAsUniformiser


Implements Tate’s algorithm for the elliptic curve E over a number field. This intrin-sic computes local reduction data at the prime ideal P , and a local minimal model.The model is not required to be integral on input. Output is 〈P, vp(d), fp, cp,K, s〉and Emin where P is the prime ideal, vp(d) is the valuation of the local minimaldiscriminant, fp is the valuation of the conductor, cp is the Tamagawa number, Kis the Kodaira Symbol, and s is false if the curve has non-split multiplicative re-duction at P and true otherwise. Emin is a model of E (integral and) minimal atP .

When the optional parameter UseGeneratorAsUniformiser is set true, thecomputation checks whether P is principal, and if so, uses generator of P as theuniformiser. This means that at primes other that P , the returned model will stillbe integral or minimal if the given curve was.

LocalInformation(E)

Return a sequence of the tuples returned by LocalInformation(E, P) for all primeideals P in the decomposition of the discriminant of E in the maximal order of thenumber field the elliptic curve E is over.

Reduction(E, p)

Given an elliptic curve E over a number field given by a model which is integral atp and has good reduction at p, returns an elliptic curve over the residue field of pwhich represents the reduction of E at p. The reduction map is also returned.

RootNumber(E, P)

The local root number of the elliptic curve E (defined over a number field) at theprime ideal P .


RootNumber(E)

Calculates the global root number of an elliptic curve E defined over a numberfield K. This is the product of local root numbers over all places of K (−1 fromeach infinite place), and is the (conjectural) sign in the functional equation relatingL(E/K,s) to L(E/K,2-s).

103.11.2 Complex Multiplication

HasComplexMultiplication(E)

Given an elliptic curve E over a number field, the function determines whether thecurve has complex multiplication and, if so, also returns the discriminant of the CMquadratic order. The algorithm uses fairly straightforward analytic methods, whichare not suited to very high degree j-invariants with CM by orders with discriminantsmore than a few thousand.

103.11.3 Torsion Information

TorsionBound(E, n)

Given an elliptic curve E defined over a number field, returns a bound on the sizeof the torsion subgroup of E by looking at the first n non-inert primes of sufficientlylow ramification degree and good reduction.

pPowerTorsion(E, p)

Bound RngIntElt Default : −1

Given an elliptic curve E defined over a number field or Q, returns the p-powertorsion of E over its base field as an abelian group, together with the map from thegroup into the curve. One can specify a bound on the size of the p-power torsion,which may help the computation.

TorsionSubgroup(E)

Given an elliptic curve E defined over a number field, returns the torsion subgroupof E.

103.11.4 Heights

NaiveHeight(P)

Given a point P on an elliptic curve over a number field K, the function returns thenaive height of P ; i.e., the absolute logarithmic height of the x-coordinate.


Height(P : parameters)

Precision RngIntElt Default : 27Extra RngIntElt Default : 8

Given a point P on an elliptic curve defined over a number field K, returns theNeron-Tate height h(P ). (This is based on the absolute logarithmic height ofthe x-coordinate.) The parameter Precision may be used to specify the desiredprecision of the output. The parameter Extra is used in the cases when one of thepoints 2nP gets too close to the point at infinity, in which case there is a huge lossin precision in the archimedean height and increasing Extra remedies that problem.

HeightPairingMatrix(P : parameters)

Compute the height pairing matrix for an array of points. Same varargs as above.

LocalHeight(P, Pl : parameters)

Precision RngIntElt Default : 0Extra RngIntElt Default : 8

Given a point P on an elliptic curve defined over a number field K, and a place Pl(finite or infinite) of K, returns the local height λPl(P ) of P at Pl. The parameterPrecision sets the precision of the output. A value of 0 takes the default precision.

When Pl is an infinite place, the parameter Extra can be used to remedy thehuge loss in precision when one of the points 2nP gets too close to the point atinfinity.

103.11.5 Selmer GroupsFirst we give a short overview of the theory of Selmer groups. This enables us to fixthe notation that is used in the naming of the Magma functions. For a more completeaccount, see [Sil86]. The actual algorithms to compute the Selmer groups are closer to thedescription in [Cas66].

Let E′, E be elliptic curves over a number field K and let φ : E′ → E be an isogeny.The only cases currently implemented are where φ is a 2-isogeny, i.e., an isogeny of degree2, and where E′ = E and φ is multiplication by 2.

Let E′[φ] be the kernel subscheme of φ. By taking Galois cohomology of the short exactsequence of schemes over K,

0 → E′[φ] → E′ → E → 0,

we obtainE′(K) → E(K) → H1(K, E′[φ]) → H1(K, E′).

For the middle map, we write µ : E(K) → H1(K, E′[φ]). Thus, E(K)/φ(E′(K)) injectsin H1(K, E′[φ]) and the image consists exactly of the cocycles that vanish in H1(K, E′).

As an approximation to this image, we define the φ-Selmer group of E over K toconsist of those cocycles H1(K,E′[φ]) that vanish in all restrictions H1(Kp, E

′), where pruns though all places of K. It fits in the exact sequence


0 → S(φ)(E/K) → H1(K,E′[φ]) →∏p

H1(Kp, E′)

The main application of Selmer groups is that they provide the bound:

#E(K)/φE′(K) ≤ #S(φ)(E/K).

If φ∗ : E → E′ is the isogeny dual to φ, then φφ∗ : E → E is multiplication by d = Deg(φ).Thus, one can use the φ and φ∗ Selmer groups to provide a bound on #E(K)/dE(K) andthus on the Mordell–Weil rank of E(K).

Representation of H1(K,E′[φ]):If φ is a 2-isogeny, then H1(K, E′[φ]) ∼ K∗/K∗2. Thus, we can represent elements by

δ ∈ K∗. In Magma, the map µ corresponds to a representation of the map E(K) → K∗.The map µ also accepts just x-coordinates.

If φ is multiplication-by-2 and E : y2 = f(x), we write A = K[x]/(f(x)) then

H1(K,E[2]) ∼ δ ∈ A∗/A∗2|NA/K(δ) ∈ K∗2.In fact, the full set A∗/A∗2 corresponds to H1(K, E[2]× ±1).

The set H1(K, E′[φ]) also corresponds to the set of covers τδ : Tδ → E over K, moduloisomorphy over K, that are isomorphic to φ : E′ → E over the algebraic closure of K (see[Sil86], Theorem X.2.2). In this section, we write tor for the map δ 7→ τδ.

DescentMaps(phi)

CasselsMap(phi)

Fields SetEnum Default : Given an isogeny φ : E → E1 of elliptic curves over a number field K (or Q), thefunction returns the connecting homomorphism

µ : E1(K) → H1(K, E[φ]),

and a map τ sending an element of H1(K, E[φ]) to the corresponding homogeneousspace. Here elements of H1(K, E[φ]) are represented as elements of A∗/(A∗)2 (asdescribed above). The maps are actually given as maps to, and from, A (ratherthan A∗/(A∗)2).

The isogeny φ must be either a 2-isogeny or multiplication–by–2.When φ is multiplication–by–two, then the computation of µ involves a call to

AbsoluteAlgebra. The optional parameter Fields is passed on to that. If thefields mentioned in this set are found to be of any use, then these will be used andwhatever class group and unit data stored on the fields will be used in subsequentcomputations.

When φ is multiplication–by–two, the second map τ accepts all elements δ ∈ A∗.An element δ ∈ A∗ represents an element of H1(K, E[2]) if and only if δ must havesquare norm. In general, δ ∈ A∗ represents an element of H1(K,E[2] × ±1), inwhich case τ(δ) is the corresponding covering Tδ → P1. (This covering is a twist ofthe covering E → E → P1 given by P 7→ 2P 7→ x(2P ).)


SelmerGroup(phi)

Hints SetEnum Default : Raw BoolElt Default : false

Bound RngIntElt Default : −1Verbose Selmer Maximum : 2

Given an isogeny φ : E → E1 defined over a number field K, computes theassociated Selmer group Sel(φ) := Selφ(E/K).

The Selmer group is returned as a finite abelian group S, together with a mapAtoS : A → S, where A is as in the introduction. This is a map only in the Magmasense; it is defined only on a finite subset of A. Its “inverse” S → A provides themathematically meaningful injection S → A∗/(A∗)2. The standard map

E1(K) → E1(K)/φE(K) → Sel(φ)

is given by the composition of µ with AtoS, where µ : E1(K) → H1(K, E[φ]) is thefirst map returned by DescentMaps.

If the optional parameter Hints is given, it is used as a list of x-coordinatesto try first when determining local images. Supplying Hints does not change theoutcome, but may speed up the computation.

The calculation of the Selmer group involves possibly expensive class group andunit group computations. If no such data has been precomputed, SelmerGroup willattempt to obtain this information unconditionally, unless Bound is positive. Thisbound is then passed on to any called ClassGroup. However, if such data is alreadystored, it will be used and subsequent results will be conditional on whatever as-sumptions were made while computing this information. If conditional results aredesired (for instance, assuming GRH), one should precompute class group informa-tion on the codomain of CasselsMap(phi) prior to calling SelmerGroup(phi).

If Raw is true, then three technical items are also returned. The first two ofthese, toV ec and FB, enable one to represent elements of the Selmer group in termsof a “factor base” FB consisting of elements of A that generate a relevant subgroupof A∗/(A∗)2. The map toV ec sends an element of S to an exponent vector relativeto FB. The map from S to A obtained by multiplying out the results is inverse toAtoS.

The final returned value (when Raw is true) is a set of Hints (just as in theoptional parameter).

TwoSelmerGroup(E)

Hints SetEnum Default : Raw BoolElt Default : false

Bound RngIntElt Default : −1Verbose EllSelmer Maximum : 2


The 2-Selmer group of an elliptic curve defined over Q or a number field. Thefunction simply calls SelmerGroup for the multiplication–by–two isogeny. The givenmodel for E should be integral. The options and return values are the same as forSelmerGroup.

RankBound(E)

Isogeny Map Default :

The upper bound on the rank of E(K), for an elliptic curve over a number field K(or Q), obtained by computing the Selmer group(s) associated to some isogeny onE. The isogeny is either multiplication by 2, or a 2-isogeny if any exist, and maybe specified by the optional parameter Isogeny.

Example H103E48

In this example, we determine the rank of y2 = x3 + 9x2 − 10x + 1 by computing the 2-Selmergroup.

> E := EllipticCurve([0,9,0,-10,1]);

> two := MultiplicationByMMap(E,2);

> mu, tor := DescentMaps(two);

The hard work: computing the Selmer group.

> S, AtoS := SelmerGroup(two);

> #S;

8

So the Selmer rank is 3. We deduce the following upper bound on the rank of E(Q), taking intoaccount any 2-torsion.

> RankBound(E : Isogeny := two);

3

In fact, there are 3 points: (0, 1), (1, 1) and (2, 5).

> g1 := E![ 0, 1 ];

> g2 := E![ 1, 1 ];

> g3 := E![ 2, 5 ];

We now map these points into the Selmer group and check that they generate it. It will followthat the points generate E(K)/2E(K), which means they are independent nontorsion points inE(K) (since we know there is no 2-torsion).

> s1 := AtoS(mu(g1));

> s2 := AtoS(mu(g2));

> s3 := AtoS(mu(g3));

> sub<S | [s1, s2, s3]> eq S;

true

Next we compute the homogeneous space associated to the point g1+ g2. It must have a rationalpoint mapping to g1 + g2. Note that @@ always denotes “preimage” in Magma.

> coveringmap := tor((s1+s2) @@ AtoS);


> Domain(coveringmap); // Print the homogeneous space but not the map to E


-u0^2 - 2*u0*u1 - 18*u1*u2 + 82*u2^2,

-10*u0^2 - 18*u0*u1 - 18*u0*u2 - 9*u1^2 + 2*u1*u2 - 90*u2^2 + u3^2

The next command finds all Q-rational points in the preimage of the point g1 + g2 on E. (InMagma the preimage is constructed as a scheme.)

> RationalPoints( (g1+g2) @@ coveringmap);

@ (10 : -9 : -1 : 1) @

Example H103E49

We consider the elliptic curve E : y2 = dx(x + 1)(x + 3) where d is the product of the primes lessthan 50. Since E has full 2-torsion, we can carry out 2-isogeny descent in three non-equivalentways, resulting in three different rank bounds.

> P<x> := PolynomialRing(Integers());

> d := &*[ p : p in [1..50] | IsPrime(p) ];

> E := EllipticCurve(HyperellipticCurve(d*x*(x + 1)*(x + 3)));

The nontrivial 2-torsion points in E(Q):

> A, mp := TorsionSubgroup(E);

> T := [ t : a in A | t ne E!0 where t := mp(a) ];

The corresponding 2-isogenies:

> phis := [ TwoIsogeny(t) : t in T ];

The rank bounds obtained from these isogenies:

> [ RankBound(E : Isogeny := phi) : phi in phis ];

[ 9, 5, 7 ]

We find [9, 5, 7]! Each descent gives a different rank bound. However, a full 2-descent gives:

> two := MultiplicationByMMap(E,2);

> RankBound(E : Isogeny := two);

1

Now doing full 2-descent on the three isogenous curves, we see where the obstacle for sharp rankbounds comes from.

> OtherTwos := [ MultiplicationByMMap(Codomain(phi), 2) : phi in phis ];

> [ RankBound(Domain(two) : Isogeny := two) : two in OtherTwos ];

[ 9, 5, 7 ]

We find [9, 5, 7] again.


Example H103E50

The next example is a classic one from [Kra81].

> E := EllipticCurve([0, 977, 0, 976, 0]);

> twoE := MultiplicationByMMap(E, 2);

> muE := CasselsMap(twoE);

> SE, toSE := SelmerGroup(twoE);

> rkEQ := RankBound(E);

> ptE := [ E | [-1, 0], [0, 0], [-4, 108], [4, 140] ];

> sub<SE | [ toSE(muE(p)) : p in ptE ]> eq SE;

true

> // So E is really of rank 2

> d := 109;

> Ed := QuadraticTwist(E, d);

> Ed![ -976, -298656, 1];

(-976 : -298656 : 1)

> // So Ed is of rank at least 1

> rkEdQ := RankBound(Ed);

> _<x> := PolynomialRing(Rationals());

> K := NumberField(x^2 - d);

> EK := BaseChange(E, K);

> rkEK := RankBound(EK);

> rkEQ;

2

> rkEdQ;

3

> rkEK;

3

We know that the rank of Ed(Q) must be the rank of E(K) minus the rank of E(Q); thus Ed(Q)has rank 1. This is smaller than the bound of 3 we get from a 2-descent on Ed alone.

103.11.6 Mordell–Weil Group

MordellWeilSubgroup(E)

PseudoMordellWeilGroup(E)

Isogeny Map Default :

SearchBound RngIntElt Default :

UseHomogeneousSpaces BoolElt Default :

Given an elliptic curve defined over Q or a number field K, this function com-bines several functions from this chapter, in an attempt find a subgroup of odd,finite index in E(K). It chooses an isogeny and computes the appropriate Selmergroups (either multiplication by 2, or a 2-isogeny if any exist), which the usermay specify with the optional parameter Isogeny. The program then searches


on E up to the SearchBound to find rational points, using RationalPoints. WhenUseHomogeneousSpaces is true (or by default when it is efficient to do so), it willalso search for points on the relevant homogeneous spaces.

The returned values are bool, A and AtoE where A is an abstract abelian grouprepresenting a subgroup of the Mordell–Weil group, and the map AtoE sends ele-ments of the abstract group A to points on E. When bool is true, the computationhas proved that the rank of A equals the rank of E(K), in which case A has oddindex in E(K) (in any case, A is 2-saturated).

103.11.7 Elliptic Curve ChabautyThis refers to a method for finding the rational points on a curve, if the curve admits asuitable map to an elliptic curve over some extension field. The method was developedprincipally by Nils Bruin (see [Bru03] or [Bru04]). The intrinsic provided here automatesthe main calculation that is needed to apply the method.

Chabauty(MWmap, Ecov, p)

Cosets Tup Default :

Aux SetEnum Default :


Bound RngIntElt Default :

Let E be an elliptic curve defined over a number field K. This function bounds theset of points in E(K) whose images under a given map E → P1 are Q-rational.

The arguments are as follows:• a map MWmap : A → E from an abstract group into E(K) (for instance, the

map returned by PseudoMordellWeilGroup),• a map of varieties Ecov : E → P1 defined over K, and

• a rational prime p, such that E and the map Ecov have good reduction at primesabove p.

The returned values are N , V , R and L as follows. Let G denote the image of A inE(K).

• N is an upper bound for the number of points P ∈ G such that Ecov(P ) ∈ P1(Q)(note that N can be ∞).

• V is a set of elements of A found by the program that have images in P1(Q),• R is a number with the following property: if [E(K) : G] is finite and coprime

to R, then N is also an upper bound for the number of points P ∈ E(K) suchthat Ecov(P ) ∈ P1(Q), and

• L is a collection of cosets in A such that (⋃

L) ∪ V contains all elements of Athat have images in P1(Q).If Cosets (< Cj >) are supplied (a coset collection of A), then the bounds and

results are computed for A ∩ (⋃

Cj).


If Aux is supplied (a set of rational primes), then the information at p is combinedwith the information at the other primes supplied.

If Precision is supplied, this is the p-adic precision used in the computations.If not, a generally safe default is used.

If Bound is supplied, this determines a search bound for finding V .The algorithm used is based on [Bru03] and [Bru02].For examples and a more elaborate discussion, see [Bru04].

Example H103E51

This example is motivated and explained in great detail in [Bru04] (Section 7). Let E be theelliptic curve

y2 = x3 + (−3ζ3 − ζ + 1)dx2 + (−ζ2 − ζ − 1)d2x, d = 2ζ3 − 2ζ2 − 2

over K := Q(ζ) where ζ is a primitive 10th root of unity.

> _<z> := PolynomialRing(Rationals());

> K<zeta> := NumberField(z^4-z^3+z^2-z+1);

> OK := IntegerRing(K);

> d := 2*zeta^3-2*zeta^2-2;

> E<X,Y,Z> := EllipticCurve(

> [ 0, (-3*zeta^3-zeta+1)*d, 0, (-zeta^2-zeta-1)*d^2, 0 ]);

Next we determine as much as possible of E(K), allowing Magma to choose the method.

> success, G, GtoEK := PseudoMordellWeilGroup(E);

> G;

Abelian Group isomorphic to Z/2 + Z/2 + Z + Z


Relations:

2*G.1 = 0

2*G.2 = 0

> success;

true

Here G is an abstract group and GtoEK injects it into E(K). Since the flag is true, this is asubgroup of finite, odd index in E(K). Next, we determine the points (X : Y : Z) in thissubgroup for which the function

u : E → P1 : (X : Y : Z) → d(−X + (ζ3 − 1)Z : X + d(−ζ3 − ζ)Z)

takes values in P1(Q).

> P1 := ProjectiveSpace(Rationals(),1);

> u := map< E->P1 | [-X + (zeta^3 - 1)*d*Z, X+(-zeta^3-zeta)*d*Z] >;

> N, V, R, C := Chabauty( GtoEK, u, 3);

> N;

5

> V;


0,

G.3 - G.4,

-G.3 + G.4,

G.3 + G.4,

-G.3 - G.4

The Chabauty calculations prove that there are at most N elements in G whose image under uis Q-rational. Also, V is a set of elements with this property. Since here N = 5 = #V , theseare the only such elements. Moreover, the calculations prove that if [E(K) : G] is coprime to R,then N is actually an upper bound on the number of elements in E(K) whose image under u isQ-rational.

> R;

4

Fortunately, we know from the PseudoMordellWeilGroup computation that [E(K) : G] is odd.Therefore we have solved our problem for E(K), not just for G.If one wishes to evaluate u at these points, it is necessary in this example to first extend u (byfinding alternative defining equations for it) so that it is defined on all the points.

> u := Extend(u);

> [ u( GtoEK(P) ) : P in V ];

[ (-1 : 1), (-1/3 : 1), (-1/3 : 1), (-3 : 1), (-3 : 1) ]

103.11.8 Auxiliary functions for etale algebrasThis section contains machinery for number fields (and more generally “etale algebras”,i.e. algebras of the form Q[x]/p(x)), intended to perform the number field calculationsthat are involved in computing Selmer groups of geometric objects.

It has become conventional to refer to “the p-Selmer group” of a number field K (or,more generally, of an etale algebra) relative to a finite set S of K-primes. It means thefinite subgroup K(S, p) of K∗/(K∗)p, consisting of those elements whose valuation at everyprime outside S is a multiple of p.

AbsoluteAlgebra(A)

Fields SetEnum Default : Verbose EtaleAlg Maximum : 1

Given a separable commutative algebra over an absolute number field or Q, thefunction returns the isomorphic direct sum of absolute fields as a cartesian productand the isomorphisms to and from this product. The optional parameter Fieldsenables the user to suggest representations of the absolute fields. If this functionfinds it needs a field isomorphic to one occurring in the supplied list, then it willuse the given field. Otherwise it will construct a field itself. The isomorphism isreturned as a second argument. If called twice on the same algebra, it will recompute


if the Fields argument is given. Otherwise it will return the result computed thefirst time.

pSelmerGroup(A, p, S)

Verbose EtaleAlg Maximum : 1Returns the p-Selmer group of a semi-simple algebra A. The set S of ideals shouldbe prime ideals of the underlying number field. The group returned is the directsum of the p-Selmer groups of the irreducible summands of A and the map is theobvious embedding in the multiplicative group of A. An implied restriction is thatBaseRing(A) be of type FldNum. See also pSelmerGroup on page 3-836. If analgebra over the rationals is required, create a degree 1 extension by

QasaNumberField := NumberField(Rationals());

LocalTwoSelmerMap(P)

Let K be the number field associated with the prime ideal P . The map returnedis K∗ → K∗

P /K∗2P , where KP is the completion of K at P . The codomain is

represented as a finite abelian group.

LocalTwoSelmerMap(A, P)

Let K be the base field of the commutative algebra A and let P be a prime idealin K. Then this function returns a map A∗ → A∗/A∗2 ⊗ KP , where KP is thecompletion of K at P . The codomain is represented as a finite abelian group.

This map is computed by using LocalTwoSelmerMap(Q) for the various exten-sions Q of P to the fields making up AbsoluteAlgebra(A). The map returned isessentially the direct sum of all these maps. For technical purposes, one may alsowish to use the components of the map coming from each number field; these aregiven by the second return value, which is a sequence of records (ordered in thesame way as the results are concatenated in the returned map). Each record con-tains items i, p, map and vmap. Here i is an index indicating which numberfield in AbsoluteAlgebra(A) the record corresponds to, p is an extension of Pto a prime in that number field, map is LocalTwoSelmerMap(p), and vmap is thevaluation map at p on that number field.

Example H103E52

> P<x> := PolynomialRing(Rationals());

> A := quo;

> AA := AbsoluteAlgebra(A);

> AA;

Cartesian Product<Number Field with defining polynomial x - 1 over the Rational

Field, Number Field with defining polynomial x^2 + x + 1 over the Rational

Field>


103.12 Morphisms

Four types of maps between elliptic curves may be constructed: isogenies, isomorphisms,translations and rational maps. Isogenies and isomorphisms are by far the most important,and have the most functions associated to them. Isogenies are always surjective as schememaps, even though the Magma parlance of a map from E(Q) → F (Q) may seem toindicate that (for instance) the multiplication-by-two map is not surjective. There is ainternal limit that the degrees of the polynomials defining an isogeny cannot be morethan 107.

103.12.1 Creation Functions

Example H103E53

The following example gives a construction of a 2-isogeny between elliptic curves. This exam-ple follows Example III 4.5 of Silverman [Sil86], and demonstrates a parameterized family of2-isogenies of elliptic curves together with its dual.

> FF := FiniteField(167);

> a := FF!2; b := FF!3; r := a^2 - 4*b;

> E1 := EllipticCurve([0, a, 0, b, 0]);

> E2 := EllipticCurve([0, -2*a, 0, r, 0]);

> _<x> := PolynomialRing(BaseRing(E1));

> Ff, f := IsogenyFromKernel(E1, x);

> Fg, g := IsogenyFromKernel(E2, x);

> b, m1 := IsIsomorphic(Ff, E2); assert b;

> b, m2 := IsIsomorphic(Fg, E1); assert b;

> // Verify that f and g are dual isogenies of degree 2

> &and[ m2(g(m1(f(P)))) eq 2*P : P in RationalPoints(E1) ];

true

> &and[ m1(f(m2(g(Q)))) eq 2*Q : Q in RationalPoints(E2) ];

true

Isomorphism(E, F, [r, s, t, u])

Given elliptic curves E and F defined over the same field K, and four elementsr, s, t, u of K (where u 6= 0), the function returns the isomorphism E → F mappingOE 7→ OF and mapping (x, y) 7→ (u2x + r, u3y + su2x + t). This function returnsan error if the values passed do not define such an isomorphism.

Isomorphism(E, F)

Given elliptic curves E and F defined over the same field K, this function computesand returns an isomorphism from E to F where such an isomorphism exists. Themap returned will be the same as the second return value of IsIsomorphic.


Automorphism(E, [r, s, t, u])

Given an elliptic curve E defined over a field K, and four elements r, s, t, u of K(where u 6= 0), the function returns the isomorphism E → E mapping OE 7→ OF

and mapping (x, y) 7→ (u2x + r, u3y + su2x + t). This function returns an error ifthe values passed do not define such an isomorphism.

IsomorphismData(I)

The sequence [r, s, t, u] of elements defining the isomorphism I.

Example H103E54

We illustrate the isomorphism routines with some simple examples.

> K := GF(73);

> E1 := EllipticCurve([K | 3, 4, 2, 5, 1]);

> E2 := EllipticCurve([K | 8, 2, 29, 45, 28]);

> IsIsomorphic(E1, E2);

true

> m := Isomorphism(E1, E2, [3, 2, 1, 4]);

> m;

Elliptic curve isomorphism from: CrvEll: E1 to CrvEll: E2

Taking (x : y : 1) to (16*x + 3 : 64*y + 32*x + 1 : 1)

> P1 := Random(E1);

> P2 := Random(E1);

> m(P1 + P2) eq m(P1) + m(P2);

true

From the isomorphism data, we can apply the map by hand if desired:

> r, s, t, u := Explode(IsomorphismData(Inverse(m)));

> P3 := E2![ 69, 64 ];

> x, y := Explode(Eltseq(P3));

> E1 ! [ u^2*x + r, u^3*y + s*u^2*x + t ];

(68 : 32 : 1)

> m($1) eq P3;

true

IsIsomorphism(I)

This function returns true if and only if the isogeny I has the same action as someisomorphism, in which case it also returns the isomorphism.

IsomorphismToIsogeny(I)

This function takes a map I of type isomorphism and returns an equivalent mapwith type isogeny.


Example H103E55

An example of how to use the previous two functions to transform isogenies to isomorphisms andvice versa.

> FF := FiniteField(23);

> E0 := EllipticCurve([FF | 1, 1]);

> E1 := EllipticCurve([FF | 3, 2]);

> b, iso := IsIsomorphic(E0, E1);

> b;

true

> iso;

Elliptic curve isomorphism from: CrvEll: E0 to CrvEll: E1

Taking (x : y : 1) to (16*x : 18*y : 1)

> isog := IsomorphismToIsogeny(iso);

> isog;

Elliptic curve isogeny from: CrvEll: E0 to CrvEll: E1

taking (x : y : 1) to (16*x : 18*y : 1)

> b, new_iso := IsIsomorphism(isog);

> b;

true

> inv := Inverse(new_iso);

> P := Random(E0);

> inv(isog(P)) eq P;

true

TranslationMap(E, P)

Given a rational point P on the elliptic curve E, the function returns the morphismtP : E → E defined by tP (Q) = P + Q, for all rational points Q of E.

RationalMap(i, t)

Let i be an isogeny and t be a translation map tP : E → E where tP (Q) = P + Qfor some rational point P ∈ E. This function returns the rational map φ : E → Fobtained by composing i and t (applying t first). Any rational map E → F can berepresented in this form.

TwoIsogeny(P)

Given a 2-torsion point P of the elliptic curve E, create a 2-isogeny on E with P asits kernel.


Example H103E56

One may, of course, also define maps between elliptic curves using the generic map constructors,as the following examples show.

> E1 := EllipticCurve([ GF(23) | 1, 1 ]);

> E2 := EllipticCurve([ GF(23, 2) | 1, 1 ]);

The doubling map on E1 lifted to E2:

> f := map<E1 -> E2 | P :-> 2*P>;

Two slightly different ways to define the negation map on E1 lifted to E2:

> f := map<E1 -> E2 | P :-> E2![ P[1], -P[2], P[3] ]>;

> f := map<E1 -> E2 | P :-> (P eq E1!0) select E2!0

> else E2![ P[1], -P[2], 1 ]>;

IsogenyFromKernel(G)

Let G be a subgroup scheme of an elliptic curve E. There is a separable isogenyf : E → Ef of degree d to some other elliptic curve Ef , which has kernel G. Thisfunction returns the curve Ef and the map f using Velu’s formulae.

IsogenyFromKernelFactored(G)

Returns a sequence of isogenies whose product is the isogeny returned by the invo-cation IsogenyFromKernel(G). The isogenies have either degree 2 or odd degree.This function was introduced because composing isogenies can be computationallyexpensive. The generic Expand function on a composition of maps can then be usedif desired.

IsogenyFromKernel(E, psi)

Given an elliptic curve E and a univariate polynomial which defines a subscheme ofE which is a subgroup of the set of rational points for E, compute an isogeny usingVelu’s formulae as above.

IsogenyFromKernelFactored(E, psi)

Returns a sequence of isogenies whose product is the isogeny returned by the in-vocation IsogenyFromKernel(E, psi). The isogenies have either degree 2 or odddegree. This function was introduced because composing isogenies can be computa-tionally expensive. The generic Expand function on a composition of maps can thenbe used if desired.

PushThroughIsogeny(I, v)

PushThroughIsogeny(I, G)

Given an isogeny I, and a subgroup G which contains the kernel of I, find theimage of G under the action of I. The subgroup G may be replaced by its definingpolynomial v.


DualIsogeny(phi)

Given an isogeny φ : E1 → E2, the function returns another isogeny φ∗ : E2 → E1

such that φ∗ φ is multiplication by the degree of φ. The result is remembered andDualIsogeny(DualIsogeny(phi)) returns phi.

Example H103E57

We exhibit one way of calculating the dual of an isogeny. First we create a curve and an isogenyf , with kernel equal to the full 5-torsion polynomial.

> E := EllipticCurve([GF(97) | 2, 3]);

> E1, f := IsogenyFromKernel(E, DivisionPolynomial(E, 5));

The image curve E1 is isomorphic, but not equal to the original curve E. We proceed to find thedual of f .

> deg := Degree(f);

> psi := DivisionPolynomial(E, deg);

> f1 := PushThroughIsogeny(f, psi);

> E2, g := IsogenyFromKernel(E1, f1);

> // Velu’s formulae give an isomorphic curve, not the curve itself.

> IsIsomorphic(E2, E);

true

> h := Isomorphism(E2, E);

> f_dual := g*IsomorphismToIsogeny(h);

The latter isogeny is the dual of f , as we verify:

> &and [ f_dual(f(P)) eq deg*P : P in RationalPoints(E) ];

true

Of course, a simpler way to verify this is just to check equality:

> f_dual eq DualIsogeny(f);

true

103.12.2 Structure Operations

IsogenyMapPsi(I)

The univariate polynomial ψ used in defining the isogeny I. The roots of ψ determinethe kernel of I.

IsogenyMapPsiMulti(I)

The polynomial ψ used in defining the isogeny I as a multivariate polynomial.

IsogenyMapPsiSquared(I)

The denominator of the fraction giving the image of the x-coordinate of a pointunder the isogeny I (the numerator is returned by IsogenyMapPhi(I)).


IsogenyMapPhi(I)

The univariate polynomial φ used in defining the isogeny I.

IsogenyMapPhiMulti(I)

The polynomial φ used in defining the isogeny I as a multivariate polynomial.

IsogenyMapOmega(I)

The multivariate polynomial ω used in defining the isogeny I.

Kernel(I)

The subgroup of the domain consisting of the elements that map to zero under theisogeny I.

Degree(I)

The degree of the morphism I.

103.12.3 The Endomorphism RingLet E be an elliptic curve defined over the field K. The set of endomorphisms End(E) ofE to itself forms a ring under composition and addition of maps.

The endomorphism ring of E always contains a subring isomorphic to Z. A curve Ewhose endomorphism ring contains additional isogenies is said to have complex multipli-cation. If E is defined over a finite field, then E always has complex multiplication. Theendomorphism ring of E is isomorphic to an order in either a quadratic number field or aquaternion algebra.

MultiplicationByMMap(E, m)

The multiplication-by-m endomorphism [m] : E → E of the elliptic curve E, suchthat [m](P ) = m ∗ P .

IdentityIsogeny(E)

The identity isogeny E → E of the elliptic curve E.

IdentityMap(E)

The identity map E → E of the elliptic curve E as an isomorphism.

FrobeniusMap(E, i)

The Frobenius isogeny (x : y : 1) 7→ (xpi

: ypi

: 1) of an elliptic curve E defined overa finite field of characteristic p.

FrobeniusMap(E)

Equivalent to FrobeniusMap(E, 1).


Example H103E58

We check the action of the FrobeniusMap function.

> p := 23;

> FF1 := FiniteField(p);

> FF2 := FiniteField(p, 2);

> E1 := EllipticCurve([FF1 | 1,3]);

> E2 := BaseExtend(E1,FF2);

> frob := FrobeniusMap(E2, 1);

> # E1!P : P in RationalPoints(E2) | P eq frob(P) eq #E1;

true

103.12.4 The Automorphism GroupLet E be an elliptic curve defined over the field K. The set of automorphisms Aut(E) ofE forms a group under composition of maps. Recall that an automorphism is defined bythe sequence [r, s, t, u] such that (x, y) 7→ (u2x + r, u3y + su2x + t).

IdentityMap(E)

The identity isomorphism which fixes every point of the elliptic curve E. Thedefining coefficients are [r, s, t, u] = [0, 0, 0, 1].

NegationMap(E)

The isomorphism of the elliptic curve E which maps P to −P , for all P ∈ E.

f * g

Composition of the maps f and g, corresponding to multiplication in the automor-phism group.

103.12.5 Predicates on Isogenies

IsZero(I)

IsConstant(I)

Returns true if and only if the image of the isogeny I is the zero element of itscodomain.

I eq J

Returns true if and only if the isogenies I and J are equal.


103.13 The formal group lawThese functions are for elliptic curves over any field.

FormalGroupLaw(E, prec)

A polynomial in two variables, T1 + T2 + . . ., which expresses the formal group lawassociated to addition on E, to precision ’prec’ (more precisely, including the termsof total degree less than or equal to ’prec’).

The formal variables (T1 and T2) may be identified with the function x/y on E(where x and y are the standard affine coordinates on E); note that this function isa local coordinate in a neighbourhood of OE .

FormalGroupHomomorphism(phi, prec)

The homomomorphism of formal groups associated to the given isogeny phi. Thisis returned as a power series in one variable (with precision ’prec’). (The formalgroups involved are those returned by FormalGroupLaw applied to the domain andcodomain of phi.)

FormalLog(E)

Precision RngIntElt Default : 10The formal logarithm for the given elliptic curve E, given as follows. The functionreturns two objects: a power series f(T ), and a point P (T ) on E defined over thepower series ring, such that the map P (T ) 7→ f(T ) expresses the formal logarithm.

As with FormalGroupLaw, the variable T may be identified with the function x/yon E. In particular, P (T ) is the same projective point as (T : 1 : z(T )), for somepower series z(T ).

103.14 Curves over p-adic FieldsThe functions in this section are for elliptic curves defined over p-adic fields.


Conductor(E)

The conductor of the elliptic curve E defined over a p-adic field.

LocalInformation(E)

Implements Tate’s algorithm for the elliptic curve E over a p-adic field. This intrinsiccomputes local reduction data at the prime ideal P , and a local minimal model.The model is not required to be integral on input. Output is 〈P, vp(d), fp, cp,K, s〉and Emin where P is the uniformizer of the ground field, vp(d) is the valuationof the local minimal discriminant, fp is the valuation of the conductor, cp is theTamagawa number, K is the Kodaira Symbol, and s is false if the curve hasnon-split multiplicative reduction and true otherwise. Emin is an integral minimalmodel of E.


RootNumber(E)

The local root number of the elliptic curve E (defined over a p-adic field).

103.15 Bibliography

[BC04] W. Bosma and J. Cannon, editors. Discovering Mathematics with Magma.Springer-Verlag, Heidelberg, 2004.

[Bos00] Wieb Bosma, editor. ANTS IV, volume 1838 of LNCS. Springer-Verlag, 2000.[Bru02] N. R. Bruin. Chabauty methods and covering techniques applied to generalized

Fermat equations. PhD thesis, University of Leiden, Amsterdam, 2002. Dissertation,University of Leiden, Leiden, 1999.

[Bru03] Nils Bruin. Chabauty methods using elliptic curves. J. reine angew. Math.,562:27–49, 2003.

[Bru04] Nils Bruin. Some ternary Diophantine equations of signature (n, n, 2). InBosma and Cannon [BC04].

[Cas66] J. W. S. Cassels. Diophantine equations with special reference to elliptic curves.J. London Math. Soc., 41:150–158, 1966.

[Cas91] J. W. S. Cassels. Lectures on elliptic curves, volume 24 of London MathematicalSociety Student Texts. Cambridge University Press, Cambridge, 1991.

[CFO+a] J.E. Cremona, T.A Fisher, C. O’Neil, D. Simon, and M Stoll. Explicit n-Descent On Elliptic Curves, I. Algebra.

[CFO+b] J.E. Cremona, T.A Fisher, C. O’Neil, D. Simon, and M Stoll. Explicit n-Descent On Elliptic Curves, II. Geometry.

[CFO+c] J.E. Cremona, T.A Fisher, C. O’Neil, D. Simon, and M Stoll. Explicit n-Descent On Elliptic Curves, III. Algorithms.

[Coh93] Henri Cohen. A Course in Computational Algebraic Number Theory, volume138 of Graduate Texts in Mathematics. Springer, Berlin–Heidelberg–New York, 1993.

[Cre97] J. E. Cremona. Algorithms for modular elliptic curves. Cambridge UniversityPress, Cambridge, second edition, 1997.

[Cre99] John Cremona. Reduction of binary cubic and quartic forms. LMS JCM,2:62–92, 1999.

[Cre01] John Cremona. Classical invariants and 2-descent on elliptic curves. J.Symbolic Comp., 31:71–87, 2001.

[Elk00] N. Elkies. Rational Points Near Curves and Small Nonzero |x3−y2| via LatticeReduction. In Bosma [Bos00], pages 33–63.

[FK02] Claus Fieker and David R. Kohel, editors. ANTS V, volume 2369 of LNCS.Springer-Verlag, 2002.

[GZ86] Gross and Zagier. Heegner Points and Derivatives of L-series. Invent. Math.,84:225–320, 1986.


[Kra81] K. Kramer. Arithmetic of elliptic curves upon quadratic extension. Trans.Amer. Math. Soc., 264(1):121–135, 1981.

[MSS96] J. R. Merriman, S. Siksek, and N. P. Smart. Explicit 4-descents on an ellipticcurve. Acta Arith., 77(4):385–404, 1996.

[Nag28] Trygve Nagell. Sur les proprietes arithmetiques des cubiques planes du premiergenre. Acta Math., 52:93–126, 1928.

[SC02] M. Stoll and J. Cremona. Minimal models for 2-coverings of elliptic curves.LMS JCM, 5:220–243, 2002.

[Sik95] Samir Siksek. Infinite descent on elliptic curves. Rocky Mountain J. Math.,25(4):1501–1538, 1995.

[Sil86] J. Silverman. The arithmetic of elliptic curves, volume 106 of Graduate Textsin Mathematics. Springer-Verlag, New York, 1986.

[SS04] Edward F. Schaefer and Michael Stoll. How to do a p-descent on an ellipticcurve. Trans. Amer. Math. Soc., 356(3):1209–1231 (electronic), 2004.

[Sta05] Sebastian Stamminger. Explicit 8-descent On Elliptic Curves. PhD Thesis,International University Bremen, 2005. available atURL:http://www.jacobs-university.de/research/dissertations/.

[SW02] W. A. Stein and M. Watkins. A New Database of Elliptic Curves—FirstReport. In Fieker and Kohel [FK02].

[Wat02] M. Watkins. Computing the modular degree of an elliptic curve. ExperimentalMathematics, 11(4):487–502, 2002.

[Wom03] T. Womack. Explicit descent on elliptic curves. PhD thesis, University ofNottingham, 2003.

104 ELLIPTIC CURVESOVER FINITE FIELDS

104.1 Supersingular Curves . . . 3359

IsSupersingular(E: -) 3359IsOrdinary(E) 3359IsProbablySupersingular(E) 3359

104.2 The Order of the Group ofPoints . . . . . . . . . . 3360

104.2.1 Point Counting . . . . . . . . 3360

# 3360Order(E) 3360FactoredOrder(E) 3360SEA(H: -) 3360SEA(E: -) 3360SetVerbose("SEA", v) 3363Order(E, r) 3363Trace(E) 3364TraceOfFrobenius(E) 3364Trace(E, r) 3364TraceOfFrobenius(E, r) 3364

104.2.2 Zeta Functions . . . . . . . . 3365

ZetaFunction(E) 3365

104.2.3 Cryptographic Elliptic Curve Do-mains . . . . . . . . . . . . 3366

CryptographicCurve(F) 3366ValidateCryptographicCurve(E,

P,ordP,h) 3366SetVerbose("ECDom", v) 3367

104.3 Enumeration of Points . . . 3367

Points RationalPoints 3367Points RationalPoints 3367Random(H) 3368Random(E) 3368

104.4 Abelian Group Structure . . 3368

AbelianGroup(E) 3368

TorsionSubgroup(E) 3368Generators(H) 3368Generators(E) 3368NumberOfGenerators(H) 3368NumberOfGenerators(E) 3368Ngens(H) 3368Ngens(E) 3368

104.5 Pairings on Elliptic Curves . 3369

104.5.1 Weil pairing . . . . . . . . . 3369

WeilPairing(P, Q, n) 3369

104.5.2 Tate pairing . . . . . . . . . 3369

TatePairing(P, Q, n) 3369ReducedTatePairing(P, Q, n) 3370

104.5.3 Eta pairing . . . . . . . . . . 3370

EtaTPairing(P, Q, n, q) 3370ReducedEtaTPairing(P, Q, n, q) 3370EtaqPairing(P, Q, n, q) 3371

104.5.4 Ate pairing . . . . . . . . . . 3371

AteTPairing(Q, P, n, q) 3371ReducedAteTPairing(Q, P, n, q) 3371AteqPairing(P, Q, m, q) 3371

104.6 Weil Descent in CharacteristicTwo . . . . . . . . . . . 3375

WeilDescent(E,k,c) 3375WeilDescentGenus(E,k,c) 3376WeilDescentDegree(E,k,c) 3376

104.7 Discrete Logarithms . . . . 3377

Log(Q, P) 3377Log(Q, P, t) 3378

104.8 Bibliography . . . . . . . 3379

Chapter 104

ELLIPTIC CURVESOVER FINITE FIELDS

This chapter describes the specialised facilities for elliptic curves defined over finite fields.Details concerning their construction, arithmetic and basic properties may be found inChapter 103. Most of the machinery has been constructed with Elliptic Curve Cryptogra-phy in mind.

The first major group of intrinsics relate to the determination of the order of the groupof rational points of an elliptic curve over a large finite field. A variety of canonical liftalgorithms are provided for characteristic 2 fields while the SEA algorithm is used for fieldshaving characteristic greater than 2. These tools are used as the basis for functions thatsearch for curves suitable for cryptographic applications.

A function for computing the Weil pairing forms the basis of the MOV reduction of thediscrete logarithm problem (DLP) for a supersingular elliptic curve to a DLP in a finitefield. A second type of attack on the DLP is based on the use of Weil desacent. Toolsimplementing a generalisation of the GHS attack for ordinary curves in characteristic 2are provided.

Finally, for a direct attack on the DLP for elliptic curves, a parallel collision searchversion of the Pollard rho algorithm is available.

104.1 Supersingular Curves

IsSupersingular(E: parameters)

Proof BoolElt Default : true

Given an elliptic curve E over a finite field, this function returns false ifE is ordinary, otherwise proves that E is supersingular. If the parameterProof is set to false, then the effect of the function is the same as that ofIsProbablySupersingular.

IsOrdinary(E)

Given an elliptic curve E over a finite field, this function returns true if the ellipticcurve E is ordinary, otherwise false (i.e., if it is supersingular). Thus, this functionis the logical negation of IsSupersingular.

IsProbablySupersingular(E)

Given an elliptic curve E over a finite field, this function returns returns falseif the elliptic curve E is proved to be ordinary, otherwise true. The algorithm isnondeterministic, and repeated tests are independent.


104.2 The Order of the Group of Points

104.2.1 Point CountingMagma contains an efficient implementation of the Schoof–Elkies–Atkin (SEA) algorithm,with Lercier’s extension to base fields of characteristic 2, for computing the number ofpoints on an elliptic curve over a finite field. There are also implementations of the fasterp-adic canonical lift methods in small characteristic. Calculations are performed in thesmallest field over which the curve is defined, and the result is lifted to the original field.

Like all group functions on elliptic curves, these intrinsics really apply to a particularpoint set; the curve is identified with its base point set for the purposes of these functions.To aid exposition only the versions that take the curves are shown but an appropriatepoint set (over a finite field) may be used instead.

#E

Order(E)

The order of the group of K-rational points of E, where E is an elliptic curve definedover the finite field K.

FactoredOrder(E)

This function returns the factorization of the order of the group of K-rational pointsof E, where E is an elliptic curve defined over the finite field K. This factorizationis stored on E, and is reused when computing the order of points on E.

SEA(H: parameters)

SEA(E: parameters)

Al MonStgElt Default : "Default"

MaxSmooth RngIntElt Default : ∞AbortLevel RngIntElt Default : 0UseSEA BoolElt Default : false

This is the internal algorithm used by the point counting routines, but it can beinvoked directly on an elliptic curve E or a point set H if desired. The most obviousreason to do this is because of the parameters AbortLevel and MaxSmooth, whichallow the computation to be stopped early if it can be shown not to satisfy certainconditions (such as the order of the group being prime).Warning: Unlike the external functions which call it (such as Order andFactoredOrder), SEA does not store the computed group order back on the curveitself, and so functions which need the group order will have to recompute it.

The parameter Al can be set to one of "Enumerate", "BSGS", or "Default".Setting Al to "Enumerate" causes the group order to be found by enumeration ofall points on the curve, and hence is only practical for small orders. Setting Alto "BSGS" is currently equivalent to choosing Al to "Default", which uses pointenumeration for suitably small finite fields, the full Schoof–Elkies–Atkin algorithm

Ch. 104 ELLIPTIC CURVES OVER FINITE FIELDS 3361

if the characteristic is not small, and canonical lift methods if it is. Currently, smallcharacteristic means p <= 59 or p = 71.

The canonical lift methods use a range of techniques to lift a modular parameterof the curve to an unramified p-adic ring. If a Gaussian Normal Basis of type ≤ 2exists for that ring (see HasGNB on page 4-1074), then the method of Lercier andLubicz from [LL03] is used with some local adaptations by Michael Harrison toincrease the speed for fields of moderate size. Otherwise, the MSST algorithm asdescribed in [Gau02] is used for fields up to a certain size with Harley’s recursiveversion ([Har]) taking over for larger fields.

For p < 10 and p = 13, the modular parameter used is a generator of the functionfield of a genus 0 modular curve X0(pr). The parameter gives a particularly nicemodular polynomial Φ for use in the above-mentioned iterative lifting processes (see[Koh03]). In these cases, Φ has a relatively simple factored form and evaluationsare hand-coded for extra efficiency.

For p where X0(p) is hyperelliptic (excepting the anomalous case p = 37), weuse a new method, developed by Michael Harrison, which lifts a pair of modularparameters corresponding to the x and y coordinates in a simple Weierstrass modelof X0(p).

For the few remaining small p not covered by the above cases, we simply use thej-invariant as modular parameter, working with the classical modular polynomialΦ.

To use Schoof–Elkies–Atkin in small characteristic (with Lercier’s improvements)instead of canonical lift, set UseSEA to true.

The parameter MaxSmooth can be used to specify a limit on the number of smallprimes that divide the group order. That is, we will consider the group order tobe “smooth” if it is divisible by the product of small primes and this product islarger than the value of MaxSmooth. Then the possible values of AbortLevel havethe following meanings:

0 : abort if the curve has smooth order.1 : abort if both the curve and its twist have smooth order.2 : abort if either the curve or its twist have smooth order.

If the early abort is triggered then the returned group order is 0.One common use of these parameters is when searching for a curve with prime

order. Setting MaxSmooth := 1 will cause the early termination of the algorithm ifa small factor of the order is found. If, however, the algorithm did not abort thenthe group order is not necessarily prime — this just means that no small primedividing the order was encountered during the computation.

Note that the canonical lift methods give no intermediate data on the order ofE, so MaxSmooth and AbortLevel have no effect when these methods are used.

Example H104E1

The first examples in characteristic 2 illustrate the increased speed when we work with fields that


have GNBs available:

> //example with no Gaussian Normal Basis (GNB)

> K := FiniteField(2,160); // finite field of size 2^160

> E := EllipticCurve([K!1,0,0,0,K.1]);

> time #E;

1461501637330902918203686141511652467686942715904

Time: 0.100

> //example with a GNB of Type 1

> HasGNB(pAdicRing(2,1),162,1);

true



> time #E;

5846006549323611672814738806268278193573757976576

Time: 0.020

> //example with a GNB of Type 2



> time #E;

11972621413014756705924586057649971923911742202056704

Time: 0.090

and finally an example in characteristic 3 (with type 1 GNB)

> F := FiniteField(3,100);

> j := Random(F);

> E := EllipticCurveWithjInvariant(j);

> time #E;

515377520732011331036461505619702343613256090042

Time: 0.020

Here we can see the early abort feature in action:

> p := NextPrime(10^9);

> p;

1000000007

> K := GF(p);

> E := EllipticCurve([K | -1, 1]);

> time SEA(E : MaxSmooth := 1);

0

Time: 0.010

> time #E;

1000009476

Time: 0.070

For curves this small the amount of time saved by an early abort is fairly small, but for curvesover large fields the savings can be quite significant. As mentioned above, even when SEA doesnot abort there is no guarantee that the curve has prime order:




1000000008

> IsSupersingular(E);

true

> E := EllipticCurve([K | -30, 1]);


1000035283

> Factorization($1);

[ <13, 1>, <709, 1>, <108499, 1> ]

In the first case the curve was supersingular, and so the order was easily computed directly; thusno early abort was attempted. The latter case shows that small primes may not be looked at evenwhen the curve is ordinary.Now let’s find a curve with prime order (see also CryptographicCurve on page 3366):

> for k in [1..p] do

> E := EllipticCurve([K | k, 1]);

> n := SEA(E : MaxSmooth := 1);

> if IsPrime(n) then

> printf "Found curve of prime order %o for k = %o\n", n, k;

> break;

> end if;

> end for;

Found curve of prime order 999998501 for k = 29

> E;


> #E;

999998501

SetVerbose("SEA", v)

This procedure changes the verbose printing level for the SEA algorithm whichcounts the number of points on an elliptic curve. Currently the legal values for v arefalse, true, or an integer between 0 and 5 (inclusive), where false is equivalentto 0 and true equivalent to 1. A nonzero value gives information during the courseof the algorithm, increased in verbosity for higher values of v.

N.B. The previous name for this verbose flag, "ECPointCount" is now deprecatedand will be removed in a future release. It should continue to function in this release,but its verbose levels are different to those of "SEA".

Order(E, r)

The order of the elliptic curve E over the extension field of K of degree r, where Kis the base field of E. The order is found by calculating the order of E over K andlifting.


Trace(E)

TraceOfFrobenius(E)

The trace of the Frobenius endomorphism on the elliptic curve E, equal to q+1−n,where q is the cardinality of the coefficient field and n is the order of the group ofrational points of E.

Trace(E, r)

TraceOfFrobenius(E, r)

The trace of the r-th power Frobenius endomorphism, where E is an elliptic curveover a finite field.

Example H104E2

The computation of the order of a curve over a finite field invokes the SEA algorithm. This datadetermines the number of points over all finite extensions, and is equivalent to the data for thetrace of Frobenius. The value of the trace of Frobenius and group order over all extensions istherefore a trivial computation.

> FF<w> := GF(2^133);

> E := EllipticCurve([1, 0, 0, 0, w]);

> time #E;

10889035741470030830941160923712974513152

Time: 8.830

> FactoredOrder(E);

[ <2, 10>, <3, 2>, <150959, 1>, <654749, 1>, <11953995917236774217401867, 1> ]

> time TraceOfFrobenius(E);

-113173485896391746559

Time: 0.000

> time TraceOfFrobenius(E, 3);

2247497466279379392112525914232899060001042788725924296315905

Time: 0.000

Example H104E3

The following code demonstrates the computation of twists of an elliptic curve over a finite field,and the relation with the trace of Frobenius.

> E := EllipticCurveFromjInvariant(GF(101^2)!0);

> Twists(E);

[

Elliptic Curve defined by y^2 = x^3 + 1 over GF(101^2),

Elliptic Curve defined by y^2 = x^3 + (61*w + 91) over GF(101^2),




Elliptic Curve defined by y^2 = x^3 + (87*w + 81) over GF(101^2)

]



true

Since E is supersingular, so are the twists of E. Hence the traces are divisible by the prime:

> [ TraceOfFrobenius(F) : F in Twists(E) ];

[ -202, -101, 101, 202, 101, -101 ]

> [ TraceOfFrobenius(F) : F in QuadraticTwists(E) ];

[ -202, 202 ]

We see that the traces come in pairs; the trace of a curve is the negative of the trace of itsquadratic twist. This is not just true of the supersingular curves:

> E := EllipticCurveFromjInvariant(GF(101^2)!12^3);

> Twists(E);

[

Elliptic Curve defined by y^2 = x^3 + x over GF(101^2),

Elliptic Curve defined by y^2 = x^3 + (40*w + 53)*x over GF(101^2),

Elliptic Curve defined by y^2 = x^3 + (3*w + 99)*x over GF(101^2),

Elliptic Curve defined by y^2 = x^3 + (92*w + 19)*x over GF(101^2)

]


false

> [ TraceOfFrobenius(F) : F in Twists(E) ];

[ -198, 40, 198, -40 ]

> [ TraceOfFrobenius(F) : F in QuadraticTwists(E) ];

[ -198, 198 ]

104.2.2 Zeta Functions

ZetaFunction(E)

Given an elliptic curve E over a finite field, the function returns the zeta functionof E as a rational function in one variable.

Note that each of the function calls Order(E), Trace(E), and ZetaFunction(E) invokethe same call to the SEA algorithm and determine equivalent data.

Example H104E4

The zeta function ζE(t) of an elliptic curve E over a finite field Fq is a rational function whoselogarithmic derivative has the power series expansion:

d log ζE(t)

d log t=

∞∑n=1

|E(Fqn)| tn

The following example illustrates this property of ζE(t).

> p := 11;


> E := EllipticCurve([GF(p) | 1, 2]);

> Z := ZetaFunction(E);

> Q<t> := LaurentSeriesRing(Rationals());

> t*Derivative(Log(Evaluate(Z, t))) + O(t^7);

16*t + 128*t^2 + 1264*t^3 + 14848*t^4 + 160976*t^5 + 1769600*t^6 + O(t^7)

> [ Order(E, n) : n in [1..6] ];

[ 16, 128, 1264, 14848, 160976, 1769600 ]

104.2.3 Cryptographic Elliptic Curve DomainsThis section describes functions for generating/validating good cryptographic EllipticCurve Domains. The basic data of such a domain is an elliptic curve E over a finitefield together with a point P on E such that the order of P is a large prime and the pair(E, P ) satisfies the standard security conditions for being resistant to MOV and Anomalousattacks (see [JM00]).

CryptographicCurve(F)

ValidateCryptographicCurve(E,P,ordP,h)

OrderBound RngIntElt Default : 2160

Proof BoolElt Default : true

UseSEA BoolElt Default : false

Given a finite field F , the first function finds a random Elliptic Curve Domain overF . It generates elliptic curves over F until a suitable one is found. For each curvegenerated, the order #E is calculated and a check is made as to whether sieving#E by small primes leaves a strong pseudoprime

p ≥ max(OrderBound, 4√

(#F )).

If so, the security conditions (which only depend on the order of P ) are checked forp. Finally, if Proof is true, p is proven to be prime. If all the above hold true, arandom point P on E of order p is found and E, P, p, #E/p are returned.

If the Schoof–Atkins–Elkies method is used for computing #E, then the earlyabort mechanism (see SEA on page 3360) can help to shortcut the process whenOrderBound is close to #F . However, it is generally still quicker overall, for largefields, using the much faster p-adic point-counting methods (when they apply). Toforce the use of the SEA method for point-counting, set UseSEA := true. This isnot recommended!

Given data of the form returned by the first function as input, the second functionverifies that it is valid data for a secure EC Domain with ordP satisfying the aboveinequality for p. If Proof is true (resp. false), ordP is proven to be prime (resp.subjected to a strong pseudoprimality test).

NB: For the first function, it is required that #F ≥ OrderBound (or 2 ∗OrderBound if F has characteristic 2 when all ordinary elliptic curves have evenorder).


SetVerbose("ECDom", v)

Set the verbose printing level for progress output when running the above functions.Currently the legal values for v are true, false, 0, 1 and 2 (false is the same as0, and true is the same as 1).

Example H104E5

For a bit of extra speed, we look for curves over F = GF (2196) where a Type 1 GNB exists forp-adic point-counting (see SEA on page 3360). We begin by looking for a curve over F with apoint whose order is greater than the default OrderBound.

> SetVerbose("ECDom",1);

> F := FiniteField(2,196);

> E,P,ord,h := CryptographicCurve(F);

Finished! Tried 2 curves.

Total time: 1.721

> ord;h;

12554203470773361527671578846370731873587186564992869565421

8

Now we search for a curve whose order is twice a prime (the best we can do in characteristic 2!).This can be accomplished by setting OrderBound to half the field size.

> E,P,ord,h := CryptographicCurve(F : OrderBound := 2^195);

Finished! Tried 102 curves.

Total time: 22.049

> ord;h;

50216813883093446110686315385797359941852852162929185668319

2

> ValidateCryptographicCurve(E,P,ord,h);

Verifying primality of the order of P...

true

104.3 Enumeration of Points

In this section the descriptions will refer to a point set H, which is either the H in thesignature or the base point set of the elliptic curve E in the signature.

Points(H) RationalPoints(H)

Points(E) RationalPoints(E)

Returns the set of rational points of the point set H or of the base point set of theelliptic curve E, including the point at infinity.


Random(H)

Random(E)

Returns a random rational point of the point set H or of the base point set of theelliptic curve E. Every rational point has a roughly equal chance of being selected,including the zero element.

104.4 Abelian Group StructureLike all group functions on elliptic curves, these intrinsics really apply to a particular pointset; the curve is identified with its base point set for the purposes of these functions. Toaid exposition only the versions that take the curves are shown but an appropriate pointset (over a finite field) may be used instead.

AbelianGroup(E)

TorsionSubgroup(E)

Computes the abelian group isomorphic to the group of rational points on the ellipticcurve E over a finite field. The function returns two values: an abelian group A anda map m from A to E. The map m provides an isomorphism between the abstractgroup A and the group of rational points on the curve.

Generators(H)

Generators(E)

Given an elliptic curve E defined over a finite field or a pointset H of E, thisfunction returns generators for the group of points of E. The i-th element of thesequence corresponds to the i-th generator of the group as returned by the functionAbelianGroup.

NumberOfGenerators(H)

NumberOfGenerators(E)

Ngens(H)

Ngens(E)

The number of generators of the group of rational points of (the point set Hof) the elliptic curve E; this is simply the length of the sequence returned byGenerators(E).

Example H104E6

A simple example of some of the above calls in action:

> FF<w> := GF(1048583, 2);

> E := EllipticCurve([ 1016345*w + 272405, 660960*w + 830962 ]);

> A, m := AbelianGroup(E);

> A;

Abelian Group isomorphic to Z/3 + Z/366508289334



Relations:

3*A.1 = 0

366508289334*A.2 = 0

> S := Generators(E);

> S;

[ (191389*w + 49138 : 878749*w + 1008891 : 1), (852793*w + 24192 :

376202*w + 48552 : 1) ]

> S eq [ m(A.1), m(A.2) ];

true

104.5 Pairings on Elliptic CurvesPairings on elliptic curves over finite fields have many uses, ranging from checking indepen-dence of torsion points to more practical applications in cryptography. Both destructiveapplications (such as the MOV attack), but also constructive applications as pairing basedcryptography are worth mentioning. Magma now contains an implementation of the mostpopular pairings on elliptic curves over finite fields, including the Weil pairing, the Tatepairing and various versions of the Eta and Ate pairings.

All pairings evaluate what is now called a Miller function, denoted by fn,P and definedas any function on E with divisor n(P ) − ([n]P ) − (n − 1)∞, where ∞ is the point atinfinity of the curve.

104.5.1 Weil pairingThe Weil pairing is a non-degenerate bilinear map from E[n]×E[n] to µn, the n-th rootsof unity. The Weil pairing wn(P, Q) is computed as (−1)nfn,P (Q)/fn,Q(P ).

WeilPairing(P, Q, n)

Given n-torsion points P and Q on an elliptic curve E. this function computes theWeil pairing of P and Q. Both points need to be in the same point set.

104.5.2 Tate pairingThe Tate pairing (sometimes called the Tate-Lichtenbaum pairing) is a non-degeneratebilinear map from E[n] × E/nE into K∗/(K∗)n, where K is a finite field containing then-th roots of unity. In practice, one often works with the reduced version of the pairingby mapping into µn using the final exponentiation, i.e. powering by #K∗/n. The Tatepairing tn(P, Q) is computed as fn,P (Q).

TatePairing(P, Q, n)

Given an n-torsion point P and a point Q on an elliptic curve, this function computesthe Tate pairing tm(P,Q) by returning a random representative of the coset. Bothpoints need to be in the same point set; the field K is the field of definition of thispoint set.


ReducedTatePairing(P, Q, n)

Given an n-torsion point P and a point Q on an elliptic curve, this function computesthe reduced Tate pairing em(P, Q) = tm(P, Q)(#K−1)/m. Both points need to be inthe same point set; the field K is the field of definition of this point set and n shoulddivide #K − 1.

104.5.3 Eta pairingThe Eta pairing is only defined on supersingular curves and can be considered as anoptimised version of the Tate pairing. It works as follows.

E is a supersingular elliptic curve defined over Fq and n|#E(Fq). k >= 1, the securitymultiplier, is the smallest integer such that qk ≡ 1 mod n. Here, in the supersingular case,k divides 6. Now, E[n] ⊆ E(Fqk) is a free Z/nZ-module of rank 2 which splits into thedirect sum of 2 rank one eigenspaces under the action of F , q-Frobenius, with eigenvalues1 and q (as long as (n, k) = 1 and k > 1).

The Eta pairing is defined on the subgroup of E[n]×E[n] given by the product of thetwo F -eigenspaces G1 ×G2, where P ∈ G1 iff F (P ) = P and Q ∈ G2 iff F (Q) = [q]Q. G1

is just E(Fq)[n]. If R is an arbitrary n-torsion point in E(Fqk), k times its G1-componentis just the F -trace of R. This can be used to find non-trivial points in G2 - see the examplebelow.

There are three versions of the Eta pairing, one unreduced and two reduced versions.The Eta pairing eT (P, Q) is defined as fT,P (Q) where T = t− 1 and #E(Fq) = q + 1− tor T = q.

As for the Tate pairing, the unreduced version takes values in K∗/(K∗)n and thereduced versions in µn(K) where K is Fqk .

EtaTPairing(P, Q, n, q)

CheckCurve BoolElt Default : false

CheckPoints BoolElt Default : false

Given a supersingular elliptic curve E/Fq, two points P,Q in E[n] such that P =F (P ) and F (Q) = [q]Q with F the q-power Frobenius, this function computes theEta pairing with T = t − 1, where #E(Fq) = q + 1 − t. The result is non-reducedand thus a random representative of a whole coset. Both points need to be in thesame point set E(Fqk) and q should be the size of the basefield.

ReducedEtaTPairing(P, Q, n, q)



The reduced version of the EtaTPairing function.


EtaqPairing(P, Q, n, q)



Given a supersingular elliptic curve E/Fq, two points P, Q in E[n] such that P = F (P )and F (Q) = [q]Q with F the q-power Frobenius, this function computes the Eta pairingwith T = q. This pairing is automatically reduced, i.e. maps directly into n-th roots ofunity. Both points need to be in the same point set E(Fqk) and q should be the size of thebasefield.

One can explicitly check that the curve is supersingular and that the input points areindeed in the eigenspaces of Frobenius. By default Magma does not perform these checksfor efficiency reasons.

104.5.4 Ate pairingThe Ate pairing generalises the Eta pairing to all elliptic curves, but is defined on G2×G1,i.e. the arguments are swapped with respect to the Eta pairing. Like the Eta pairing,there are three versions, one unreduced and two reduced. The Ate pairing aT (Q,P ) withQ ∈ G2 and P ∈ G1 is defined as fT,Q(P ), where T = t − 1 and #E(Fq) = q + 1 − t orT = q.

AteTPairing(Q, P, n, q)


Given two points Q,P in E[n] such that F (Q) = [q]Q and P = F (P ) with F theq-power Frobenius, this function computes the Eta pairing with T = t − 1, where#E(Fq) = q + 1− t. The result is non-reduced and thus a random representative ofa whole coset. Both points need to be in the same point set E(Fqk) and q shouldbe the size of the basefield.

ReducedAteTPairing(Q, P, n, q)


The reduced version of the AteTPairing function.

AteqPairing(P, Q, m, q)


Given two points Q,P in E[n] such that F (Q) = [q]Q and P = F (P ) with F the q-power Frobenius, this function computes the Eta pairing with T = q. This pairing isautomatically reduced, i.e. maps directly into n-th roots of unity. Both points need to bein the same point set E(Fqk) and q should be the size of the basefield.

One can explicitly check that the input points are indeed in the eigenspaces of Frobenius.By default Magma does not perform these checks for efficiency reasons.


Example H104E7

In this example, we first create a so called BN-curve, which is an elliptic curve of the formE : y2 = x3 + b defined over Fp of prime order n and embedding degree k = 12. These curvescan be found easily by testing for which s both p(s) = 36s4 + 36s3 + 24s2 + 6s + 1 and n(s) =36s4 + 36s3 + 18s2 + 6s + 1 are prime. Finding the parameter b is equally easy by testing a fewrandom values, since there are only 6 isogeny classes. The point G = (1, y) can be used as basepoint.

> Zs<s> := PolynomialRing(Integers());

> ps := 36*s^4 + 36*s^3 + 24*s^2 + 6*s + 1;

> ns := 36*s^4 + 36*s^3 + 18*s^2 + 6*s + 1;

> z := 513235038556; // some random start value

> repeat

> z := z+1; p := Evaluate(ps, z); n := Evaluate(ns, z);

> until (IsProbablePrime(p) and IsProbablePrime(n));

> p;

2497857711095780713403056606399151275099020724723

> n;

2497857711095780713403055025937917618634473494829

> Fp := FiniteField(p);

> b := Fp ! 0;

> repeat

> repeat b := b + 1; until IsSquare(b + 1);

> y := SquareRoot(b + 1); E := EllipticCurve([Fp ! 0,b]); G := E![1,y];

> until IsZero(n * G);

> E;

Elliptic Curve defined by y^2 = x^3 + 18 over

GF(2497857711095780713403056606399151275099020724723)

> #E eq n; // just to verify

true

> t := p + 1 - n;

> t;

1580461233656464547229895

> k := 12; // security multiplier

> (p^k-1) mod n; // check on p, n and k

0

> Fpk := GF(p,k);

> N := Resultant(s^k - 1, s^2 - t*s + p); // number of points over big field

> Cofac := N div n^2;

> P := E(Fpk) ! G;

> Q := Cofac*Random(E(Fpk)); // Q has order n now

Up to this point we have constructed a BN-curve and two points of order n. As such we can testfor instance that P and 2P are linearly dependent:

> WeilPairing(P, 2*P, n) eq 1;


true

and also that the Weil pairing can be obtained from 2 Tate pairing computations:

> WeilPairing(P, Q, n) eq (-1)^n*TatePairing(P, Q, n)/TatePairing(Q, P, n);

true

or test the bilinearity of the reduced Tate pairing

> ReducedTatePairing(P, 2*Q, n) eq ReducedTatePairing(P, Q, n)^2;

true

and that the corresponding test for the Tate pairing would fail since the result is a randomrepresentative of the coset:

> TatePairing(P, 2*Q, n) eq TatePairing(P, Q, n)^2;

false

Since the curve is ordinary, we cannot use the Eta pairing on this curve. We can use the Atepairing, but this is defined on G2 ×G1 and up to this point, we only have a generator of G1. Tofind a generator of G2, we need to remove the component in Q that lies in G1. This can be doneeasily by using the trace of the point Q, i.e.

∑k−1

i=0F (Q) with F the p-power Frobenius. The trace

Tr(Q) equals k times the component of Q in G1.

> TrQ := &+[ E(Fpk) ! [Frobenius(Q[1], Fp, i), Frobenius(Q[2], Fp, i)] :

> i in [0..k-1]];

> Q := k*Q - TrQ;

At this point Q is in G2 and we can compute the Ate pairing of Q and P . For instance we cantest compatibility of the reduced Ate pairing with the reduced Tate pairing:

> T := t-1;

> L := (T^k-1) div n;

> c := &+[ T^(k-1-i)*pî : i in [0..k-1] ] mod n;

> ReducedAteTPairing(Q, P, n, p)^c eq ReducedTatePairing(Q, P, n)^L;

true

> Frobenius(AteqPairing(Q, P, n, p)^k, Fp, k-1) eq ReducedTatePairing(Q, P, n);

true

To test the Eta pairing computations we will use the following supersingular elliptic curve E :y2 + y = x3 + x + b with b = 0, 1 over a finite field F2m and m odd. These curves have securityparameter k = 4.

> F2m := GF(2,163);

> q := #F2m;

> E := EllipticCurve([F2m ! 0,0,1,1,1]);

> #E;

11692013098647223345629483497433542615764159168513

> IsPrime($1);

true

> n := #E;

> t := TraceOfFrobenius(E);

> P := Random(E);


> k := 4;

> F2m4 := ExtensionField<F2m, X | X^4 + X + 1>;

> N := Resultant(s^k - 1, s^2 - t*s + q); // number of points over big field

> Cofac := N div n^2;

> P := E(F2m4) ! P;

> Q := Cofac*Random(E(F2m4)); // Q has order n now

> TrQ := &+[ E(F2m4) ! [Frobenius(Q[1], F2m, i), Frobenius(Q[2], F2m, i)] :

> i in [0..k-1]];

> Q := k*Q - TrQ;

After this setup, we can now compute the Eta pairing and test compatibility with the Tate pairing.

> d := GCD(k, q^k-1);

> Frobenius(EtaqPairing(P, Q, n, q)^(k div d), F2m, k-1) eq

> ReducedTatePairing(P, Q, n);

true

Example H104E8

The following example demonstrates the Menezes, Okamoto, and Vanstone (MOV) reduction ofthe discrete logarithm on a supersingular elliptic curve to a discrete logarithm in a finite fieldusing the Weil Pairing. The group structure of a supersingular curve E over a finite prime fieldFp for p > 3 can be Z/nZ or Z/2Z × Z/(n/2)Z, where n = p + 1, and the group structure overa degree 2 extension is Z/nZ × Z/nZ. The nontrivial Weil pairing on this is the basis for thisreduction.

> p := NextPrime(2^131);

> n := p + 1;

> n;

2722258935367507707706996859454145691688

> Factorization(n);

[ <2, 3>, <3, 2>, <37809151880104273718152734159085356829, 1> ]

> E0 := SupersingularEllipticCurve(GF(p));

> G<x>, f := AbelianGroup(E0);

> G;

Abelian Group isomorphic to Z/2722258935367507707706996859454145691688

Defined on 1 generator

Relations:

2722258935367507707706996859454145691688*x = 0

> n eq #G;

true

> P0 := f(x);

> E1 := BaseExtend(E0,GF(p^2));

> P1 := E1!P0;

> repeat

> Q1 := Random(E1);

> z1 := WeilPairing(P1, Q1, n);

> until Order(z1) eq n;

> IsOrder(Q1, n);


true

> r := 1234567;

> z2 := WeilPairing(r*P1, Q1, n);

> z1^r eq z2;

true

> WeilPairing(P1, r*P1, n);

1

104.6 Weil Descent in Characteristic Two

One approach to attacking the discrete logarithm problem for elliptic curves over finitefields is through Weil descent. Let E have base field K and let k be a subfield of K. Thebasic idea is to find a higher genus curve C/k along with a non-trivial homomorphism fromE(K) to Jac(C)(k) [the Jacobian of C]. This transfers the problem to one over a smallerfield and Index Calculus methods over C can then be applied.

Magma now contains an implementation, due to Florian Heß, of the GHS Weil Descentfor ordinary (ie j(E) 6= 0) elliptic curves in characteristic 2 (see [Gau00] or the chapter byF. Heß in [Bla05]), which constructs such a C along with the divisor map from E to C.

WeilDescent(E,k,c)

HyperellipticImage BoolElt Default : true

The curve E/K is an ordinary elliptic curve over a finite field K of characteristic 2.The argument k is a subfield of K and c is a non-zero element of K.

The function uses GHS descent to construct a plane curve C/k and a map fromE(K) to k-divisors of C. There are two possibilities:

i) The curve C is hyperelliptic and Magma implements the group law on itsJacobian, Jac(C). In this case, C will be returned as a hyperelliptic curve (typeCrvHyp) and the map returned will actually be the divisor class homomorphismfrom E(K) to Jac(C)(k) [points of E(K) being identified with divisor classes in theusual way: P ↔ (P )− (0) ]

ii) Otherwise, C is returned as a general plane curve and the map is from pointsof E(K), considered as divisors of degree 1, to the corresponding k-divisor of C.In this case, where specialised Jacobian arithmetic is not available, it may be moreconvenient to work with the effective divisors rather than degree 0 divisors. Theuser may readily convert to the degree 0 case by getting h(0) initially and then usingh((P )− (0)) = h(P )− h(0), where h is the divisor map.

In case ii), no reduction of the image divisor is performed by the divisor mapand if [K : k] is large then this divisor will have high degree and the computationmay be quite slow. h is defined by divisor pullback corresponding to the functionfield inclusion K(E) → K(C) followed by the trace from K down to k.

If the user prefers to have C and h returned as in case ii), even when C ishyperelliptic, the parameter HyperellipticImage should be set to false.


The third argument c is a parameter to specify the precise data for the descent.If r =

√(1/j(E)) and b = r/c, the function field K(E) is isomorphic to the degree

2 extension of the rational function field K(x) with equation

y2 + y = c/x + a2(E) + bx

and it is this Artin-Schreier extension that is used for the GHS descent as explainedin the above references.

It is possible to work directly with function fields, if preferred, using the functionWeilDescent. However this function produces a divisor map between function fields,not curves, and does not give the divisor class map in case i) above.

The genus of C and its degree are very dependent on the choice of c. For adescription of how to choose a good c for given E and k, see sections V

¯III.2.4 and

V¯III.2.5 in the chapter by Heß cited in the introduction.

We merely note here that c ∈ k or b ∈ k leads to a hyperelliptic C, though thismay have very large genus and other choices, giving non-hyperelliptic curves, maybe better.

WeilDescentGenus(E,k,c)

Returns the genus of the Weil descent curve C produced by WeilDescent for inputE, k, c.

WeilDescentDegree(E,k,c)

Returns the degree in the second variable of the plane Weil descent curve C producedby WeilDescent for input E, k, c.

Example H104E9

The following example is similar to one from the article of F. Heß referred to above. E is definedover F2155 and C is a hyperelliptic curve of genus 31 over F25 .

> K<w> := FiniteField(2,155);

> k := FiniteField(2,5);

> Embed(k, K);

> b := w^154 + w^152 + w^150 + w^146 + w^143 + w^142 + w^141 +

> w^139 + w^138 + w^137 + w^136 + w^134 + w^133 + w^132 + w^131 +

> w^127 + w^125 + w^123 + w^121 + w^117 + w^116 + w^115 + w^112 +

> w^111 + w^109 + w^108 + w^107 + w^105 + w^104 + w^102 + w^101 +

> w^100 + w^99 + w^98 + w^97 + w^95 + w^90 + w^89 + w^88 + w^85 +

> w^83 + w^81 + w^80 + w^79 + w^78 + w^76 + w^75 + w^73 + w^72 +

> w^69 + w^68 + w^62 + w^61 + w^59 + w^54 + w^52 + w^47 + w^45 +

> w^44 + w^43 + w^40 + w^39 + w^37 + w^36 + w^34 + w^32 + w^31 +

> w^25 + w^15 + w^13 + w^10 + w^8 + w^7 + w^6;

> E := EllipticCurve([K|1, 0, 0, b, 0]);

> C,div_map := WeilDescent(E,k,K!1);

> C;

Hyperelliptic Curve defined by y^2 + (k.1^16*x^32 + k.1^27*x^8 + k.1^2*x^4 +


k.1^29*x^2 + k.1^30*x + k.1^20)*y = k.1^30*x^32 + k.1^10*x^8 + k.1^16*x^4 +

k.1^12*x^2 + k.1^13*x + k.1^3 over GF(2^5)

> ptE := Points(E,w^2)[1];

> ord := Order(ptE); ord;

142724769270595988105829091515089019330391026

> ptJ := div_map(ptE); // point on Jacobian(C)

> // check that order ptJ on J = order ptE on E

> J := Jacobian(C);

> ord*ptJ eq J!0;

true

> [(ord div p[1])*ptJ eq J!0 : p in Factorization(ord)];

[ false, false, false, false, false, false, false, false ]

104.7 Discrete LogarithmsComputing discrete logarithms on elliptic curves over finite fields is considered to be a verydifficult problem. The best algorithms for general elliptic curves take exponential time,and do not take much advantage of properties of the curve. Thus, solving such problemscan be computationally infeasible for large curves. Indeed, elliptic curves are becomingincreasingly appealing for applications in cryptography.

Although hard instances of the elliptic curve discrete logarithm may be impossible tosolve, Magma is able to efficiently solve reasonable sized instances, or instances wherethe large prime factor of the order of the base point is not too big. Magma does this asfollows: The first step is to compute the factorization of the order of the base point, whichmay require calling SEA if the order of the curve is not already known to Magma. Thenit checks that the order of the base point is a multiple of the order of the other point. Ifthis is not true, then there is no solution. It next breaks the problem down to solving thediscrete logarithm modulo the prime power factors of the order using the Pohlig-Hellmanalgorithm. For small primes, it will try to solve it by exhaustive search. If a solution doesnot exist, Magma might determine this during the exhaustive search, and then abort theremaining computations. For the larger prime power factors, Magma uses the parallelcollision search version of Pollard’s rho algorithm. The implementation includes EdlynTeske’s idea of r-adding walks, and Michael Wiener’s and Robert Zuccherato’s idea oftreating the point P the same as −P (for curves of the form y2 = x3 + ax + b) so as toreduce the search space by a factor of 1/

√2 (this idea was independently discovered by

other researchers). It should be noted that Magma is not always able to determine thenonexistence of a solution, and therefore may run forever if given very bad parameters.For this reason, the user has the option of setting a time limit on the calculation.

Log(Q, P)

The discrete log of P to the base Q (an integer n satisfying n ∗ Q = P where0 ≤ n < Order(Q)). The arguments Q and P must be points on the same ellipticcurve, which must be defined over a finite field. The function returns −1 if it isdetermined that no solution exists.


Log(Q, P, t)

The discrete log of P to the base Q (an integer n satisfying n ∗ Q = P where0 ≤ n < Order(Q)). The arguments Q and P must be points on the same ellipticcurve, which must be defined over a finite field. The argument t is a time limitin seconds on the calculation: if this limit is exceeded the calculation is aborted.The time limit t must be a small positive integer. This function returns −1 if itis determined that no solution exists; if the calculation is aborted due to the timelimit being exceeded then −2 is returned.

Example H104E10

In the example below, we create a random elliptic curve over a randomly chosen 40-bit prime field.Our base point Q is chosen randomly on the curve, and the other point P is selected as a randommultiple of Q. Using the Log function, we recover that multiplier (m) and finally we verify thatthe solution is correct.

> GetSeed();

1020 132

> K := GF(RandomPrime(40));

> E := EllipticCurve([Random(K), Random(K)]);

> E;

Elliptic Curve defined by y^2 = x^3 + 456271502613*x + 504334195864

over GF(742033232201)

> Q := Random(E);

> Q;

(174050269867 : 191768822966 : 1)

> FactoredOrder(Q);

[ <31, 1>, <7789, 1>, <3073121, 1> ]

> P := Random(Order(Q))*Q;

> P;

(495359429535 : 455525174166 : 1)

> m := Log(Q, P);

> m;

597156621194

> m*Q - P;

(0 : 1 : 0)


104.8 Bibliography[Bla05] I. Blake, G. Serrousi and N. Smart, editor. Advances in Elliptic Curve Cryptog-

raphy, volume 317 of LMS LNS. Cambridge University Press, Cambridge, 2005.[Gau00] P. Gaudry, F. Heß and N. P. Smart. Constructive and destructive facets of Weil

descent on elliptic curves. J. Cryptology, 15(1):19–46, 2000.[Gau02] P. Gaudry. A Comparison and a Combination of SST and AGM Algorithms for

Counting Points on Elliptic Curves in Characteristic 2. In Y. Zheng, editor, Advancesin Cryptology – ASIACRYPT ’2002, volume 2501 of LNCS, pages 311–327. Springer-Verlag, 2002. Proc. 8th International Conference on the Theory and Applications ofCryptology and Information Security, Dec. 1–5 2002, Queenstown, New Zealand.

[Har] R. Harley. Web posting. Under November 2002 entry atURL:http://listserv.nodak.edu/archives/nmbrthry.html.

[JM00] D. Johnson and A. Menezes. The Elliptic Curve Digital Signature Algorithm(ECDSA). Technical report, Univ. Waterloo, 2000. Available atURL:http://www.cacr.math.uwaterloo.ca/.

[Koh03] David R. Kohel. The AGM-X0(N) Heegner Point Lifting Algorithm and EllipticCurve Point Counting. In Advances in Cryptology - AsiaCrypt 2003, number 2894 inLecture Notes in Comput. Sci., Berlin, 2003. Springer.

[LL03] R. Lercier and D. Lubicz. Counting Points on Elliptic Curves over Finite Fields ofSmall Characteristic in Quasi Quadratic Time. In Advances in Cryptology, EuroCrypt2003, volume 2656 of Lecture Notes in Comput. Sci., pages 360–373. Springer, 2003.

105 ELLIPTIC CURVESOVER FUNCTION FIELDS

105.1 An Overview of Relevant The-ory . . . . . . . . . . . 3383

105.2 Local computations . . . . 3385

BadPlaces(E) 3385Conductor(E) 3385LocalInformation(E, Pl) 3385LocalInformation(E, f) 3385LocalInformation(E) 3385KodairaSymbols(E) 3385NumberOfComponents(KS) 3386MinimalModel(E) 3386MinimalDegreeModel(E) 3386IsConstantCurve(E) 3386

105.3 Heights . . . . . . . . . 3386

NaiveHeight(P) 3386Height(P) 3386LocalHeight(P, Pl) 3386HeightPairing(P, Q) 3386HeightPairingMatrix(S) 3386HeightPairingLattice(S) 3386Basis(s) 3387Basis(seq,r,disc) 3387IsLinearlyDependent(points) 3387IsLinearlyIndependent(points) 3387IndependentGenerators(points) 3387

105.4 The Torsion Subgroup . . . 3387

TorsionSubgroup(E) 3387TorsionBound(E,n) 3387TorsionBound(E,n,B) 3387GeometricTorsionBound(E) 3387

105.5 The Mordell-Weil Group . . 3388

RankBounds(E) 3388RankBound(E) 3388MordellWeilGroup(E : -) 3388

MordellWeilLattice(E) 3388GeometricMordellWeilLattice(E) 3388Generators(E) 3389

105.6 Two-descent . . . . . . . 3389

TwoSelmerGroup(E) 3389TwoDescent(E) 3390QuarticMinimize(f) 3390Points(C : -) 3390PointsQI(C, H) 3390TwoIsogenySelmerGroups(E) 3390

105.7 The L-function and countingpoints . . . . . . . . . . 3391

LFunction(E) 3391LFunction(E,s) 3391LFunction(E, e) 3391AnalyticRank(E) 3391AnalyticInformation(E) 3391AnalyticInformation(E,L) 3391AnalyticInformation(E,e) 3391NumberOfPointsOnSurface(E, e) 3392NumbersOfPointsOnSurface(E, e) 3392BettiNumber(E, i) 3392CharacteristicPolynomial

FromTraces(traces) 3392CharacteristicPolynomial

FromTraces(traces, d, q, i) 3393

105.8 Action of Frobenius . . . . 3393

Frobenius(P,q) 3393FrobeniusActionOnPoints(s, q : -) 3393FrobeniusActionOnReducibleFiber(L) 3393FrobeniusActionOnTrivialLattice(E) 3393

105.9 Extended Examples . . . . 3394

105.10 Bibliography . . . . . . . 3397

Chapter 105

ELLIPTIC CURVESOVER FUNCTION FIELDS

This section involves elliptic curves with coefficients in a function field k(C) where Cis a regular projective curve over some field k (usually a number field or a finite field).The commands are largely parallel to those for elliptic curves over the rationals; onecan compute local information (Tate’s algorithm and so forth), a minimal model, the L-function, the 2-Selmer group, and the Mordell–Weil group. This goes in order of decreasinggenerality: local information is available for curves over univariate function fields over anyexact base field, while at the other extreme Mordell–Weil groups are available only forcurves over rational function fields over finite fields for which the associated surface is arational surface. The generality of many of the commands will be expanded in futurereleases.

105.1 An Overview of Relevant Theory

An elliptic curve over K = k(C) may be regarded as a surface E over k, with a mapπ : E → C (in other words, an elliptic surface). The generic fibre of E is E. Under thisinterpretation, elements of the Mordell-Weil group E(K) are in one to one correspondencewith sections of π (a section is a morphism s : C → E such that π s = IdC). This meansone may study the Mordell-Weil group by studying the geometry of the surface.

Given E, there is a unique E (up to isomorphism) that is projective, regular and rela-tively minimal. This is called the Kodaira-Neron model. We will always assume that weare working with this model of the surface.

Let k denote the separable closure of k, and Ek the elliptic surface considered overk. The Neron-Severi group NS(Ek) of Ek is the group of divisors of Ek modulo algebraicequivalence. It is a finitely generated group, and is closely connected with the Mordell-Weilgroup E(K).

Let N be the subgroup of NS(Ek) that is generated by all components of all the fibers ofπ together with the section corresponding to the zero point of E(k(C)). This is known asthe trivial lattice of NS(Ek). It can easily be determined, since the number of componentsin reducible fibers can be determined by Tate’s algorithm. The following divisor classestogether form a basis of N :

(i) the image of the section corresponding to the zero point,

(ii) one complete fiber, and

(iii) the components of all the reducible fibers, with one component from each fiberomitted.


It is known that the quotient NS(Ek)/N is generated by images of sections of π, andthat NS(Ek)/N ∼= E(k(C)) (via the identification of sections with points). In particular,this implies the Shioda-Tate formula

rank(E(k(C))) + 2 +∑

v∈C(k)

(mv − 1) = rank NS(Ek)

where mv denotes the number of components of the fiber π−1(v).The Galois group G = Gk/k acts on NS(Ek), and it maps N to itself. Moreover,

after extending scalars to Q one can split the Galois representation. That is, there existsM ⊂ NS(Ek) ⊗Q such that NS(Ek) ⊗Q ∼= M ⊕ (N ⊗Q) and M ∼= E(k(C)) ⊗Q as G-modules. In particular, MG ∼= E(K)⊗Q. In the case that k is a finite field, the Frobeniusaction on N can be determined with the functions FrobeniusActionOnReducibleFiberand FrobeniusActionOnTrivialLattice.

In order to study NS(Ek) as a G-module, one can embed it in the `-adic cohomologygroup H2(Ek,Q`). To get a G-equivariant map, one must slightly change the G-action onH2(Ek,Q`). Let H2(Ek,Q`)(1) denote the (1)-Tate twist of H2(Ek,Q`). The main prop-erty that we need to know about this twist is that it transforms the q-eigensubspacein H2(Ek,Q`) of some q-Frobenius element to the 1-eigenspace of this Frobenius inH2(Ek,Q`)(1). The cycle class map then yields a G-equivariant embedding

NS(Ek)⊗Q` → H2(Ek,Q`)(1).

It is conjectured by Tate that the image of (NS(Ek)⊗Q`)G under this map exactly equalsH2(Ek,Q`)(1)G.

In the case that k is a finite field, one can in principal determine H2(Ek,Q`)(1)G viathe Lefschetz trace formula. Suppose k ⊂ Fq and let Fq denote the q-th power Frobeniusmap. Then

#E(Fq) = 1 + q2 − (1 + q)Trace(Fq|H1(Ck,Q`)) + Trace(Fq|H2(Ek,Q`)).

The trace on H1(Ck,Q`) is zero if C is a rational curve, and it can be determinedby counting Fq-rational points on C in the general case. Hence by counting Fq-rationalpoints on E , one can determine Trace(Fq|H2(Ek,Q`)). By doing this for various powers ofq, one can determine the characteristic polynomial of Fq acting on H2(Ek,Q`), and hencethe conjectural ranks of E(k(C)) and E(K) by using Tate’s conjectures. The conjecturalranks obtained in this way give unconditional upper bounds on the true ranks.

As the Galois action on N can be determined, the difficult part is to compute

det(1− T · Fq|H2(Ek,Q`)/ im(N ⊗Q`)),

where im(N ⊗Q`) stands for the image of N ⊗Q` under the cycle class map. It can beshown that this polynomial is equal to the L-function of E over K. So in particular, thisL-function is a polynomial. This shows that Tate’s conjectures are linked to a geometric

Ch. 105 ELLIPTIC CURVES OVER FUNCTION FIELDS 3385

version of the Birch and Swinnerton-Dyer conjecture. Just as in the number field case, thisconjecture expresses the rank and the product of the order of the Tate-Shafarevich groupand the regulator of E in terms of its L-function. The L-function can be computed withthe function LFunction and the conjectural information on the rank, Tate-Shafarevichgroup and regulator can be obtained with the function AnalyticInformation.

If E can be defined by a Weierstrass equation in which the coefficients ai are polynomialsof degree at most i, then Ek is a rational surface, and rank(NS(Ek)) = 10. In this caserank(E(k(C))) = 10 − rank(N) can be easily determined. In the case that k is a finitefield, E(k(C)) and E(K) can be computed using functions in this section.

105.2 Local computations

BadPlaces(E)

A sequence containing the places where the given model of E has bad reduction, foran elliptic curve E defined over a function field.

Conductor(E)

The conductor of an elliptic curve E defined over a function field, given as a divisorof the function field.

LocalInformation(E, Pl)

LocalInformation(E, f)

The function performs Tate’s algorithm for an elliptic curve E over a function field,to determine the reduction type, and a minimal model, at the given place Pl. WhenE is defined over a rational function field F (t), the place is simply given as a fieldelement f (which must either be 1/t or an irreducible polynomial in t.)

The model is not required to be integral on input. The output is of the form〈Pl, vp(d), fp, cp,K, split〉 and Emin where Pl is the place, vp(d) is the valuationof the local minimal discriminant, fp is the valuation of the conductor, cp is theTamagawa number, K is the Kodaira Symbol, split is a boolean that is false ifreduction is of nonsplit multiplicative type and true otherwise, and Emin is a modelof E (integral and) minimal at Pl.

LocalInformation(E)

Sequence of tuples as described above for all places of bad reduction of the ellipticcurve E.

KodairaSymbols(E)

A sequence of tuples 〈KS, n〉, corresponding to the places of bad reduction of theelliptic curve E. Here KS is the Kodaira symbol, and n is the degree of the corre-sponding place.


NumberOfComponents(KS)

The number of components of a fiber with the given Kodaira symbol.

MinimalModel(E)

A model of the elliptic curve E (defined over a function field, which must have genus0) that is minimal at all finite places, together with a map from E to the minimalmodel.

MinimalDegreeModel(E)

A model of the elliptic curve E (defined over a rational function field) which min-imises the quantity Max([Degree(ai)/i]), where a1, a2, a3, a4, a6 are the Weierstrasscoefficients.

IsConstantCurve(E)

For an elliptic curve E defined over a rational function field F (t), the function returnstrue if and only if E is isomorphic over F (t) to an elliptic curve with coefficients inF (and also returns such a curve in that case).

105.3 Heights

NaiveHeight(P)

The naive x-coordinate height of a point P on an elliptic curve over a function fieldK, in other words, the degree of the point (x(P ) : 1) on the projective line.

Height(P)

The Neron-Tate height h(P ) of the given point P on an elliptic curve defined overa function field.

LocalHeight(P, Pl)

Given a point P on an elliptic curve defined over a function field F and a place Plof the function field F , the function returns the local height λPl(P ) at Pl of P .

HeightPairing(P, Q)

Given points P and Q, the function computes the height pairing, defined as 〈P,Q〉 =(h(P + Q)− h(P )− h(Q))/2 where h denotes the Neron-Tate height.

HeightPairingMatrix(S)

Given a sequence S of points Pi on an elliptic curve defined over a function field,this function returns the matrix (〈Pi, Pj〉), where 〈, 〉 is the height pairing.

HeightPairingLattice(S)

The height pairing lattice of a sequence of independent points on an elliptic curvedefined over a function field.


Basis(s)

Given a sequence s of points on an elliptic curve, returns a sequence of points thatform a basis for the free part of the subgroup generated by the points in s. Thesecond returned value is a Gram matrix for this basis with respect to the Neron-Tatepairing.

Basis(seq,r,disc)

Given a sequence seq of points on an elliptic curve, returns a sequence of independentpoints in the free part of the subgroup generated by the given points, which generatea lattice of rank r and discriminant disc. The answer is returned as soon as such alattice has been found, ignoring any additional points in the given sequence.

IsLinearlyDependent(points)

IsLinearlyIndependent(points)

IndependentGenerators(points)

These functions are available for elliptic curves over function fields, and behave thesame way as for elliptic curves over the rationals.

105.4 The Torsion Subgroup

TorsionSubgroup(E)

Given an elliptic curve E defined over a function field F , this function returns anabelian group A isomorphic to the torsion subgroup of E(F ), together with a mapfrom A to E(F ).

TorsionBound(E,n)

TorsionBound(E,n,B)

Given an elliptic curve over a function field F and an integer n, this function com-putes a bound on the size of the torsion subgroup of E(F ) by considering the torsionsubgroups of the fibres of E at n different places of F .

When an integer B is given as a third argument, the subgroup of elements oforder dividing B is bounded, rather than the whole torsion subgroup.

GeometricTorsionBound(E)

Given an elliptic curve E defined over a function field F , this function computes abound for the geometric torsion subgroup of E, in other words the torsion group ofE(K), where K/F is the smallest extension with algebraically closed constant field.In cases where a bound cannot be computed, 0 is returned.


105.5 The Mordell-Weil Group

The machinery in this section and the next section is for curves defined over a rationalfunction field k(t) whose field of constants k is finite.

The Mordell-Weil group can be computed (and generators found) for a curve y2 +a1xy + a3y = x3 + a2x

2 + a4x + a6 where each ai is a polynomial in k[t] ⊂ k(t) of degreeat most i.

When this hypothesis is not satisfied, it may still be possible to bound the Mordell-Weilrank, and find Mordell-Weil generators, using the 2-descent routines described in the nextsection.

RankBounds(E)

RankBound(E)

These functions returns lower and upper bounds (or just an upper bound) on therank of the Mordell-Weil group E(F ) for an elliptic curve E defined over a functionfield F with finite constant field. The bound is obtained by applying all the avail-able tools (those described in this section together with the AnalyticInformationobtained from the L-function).

MordellWeilGroup(E : parameters)

Al MonStgElt Default : ”Geometric”The Mordell–Weil group of an elliptic curve E that satisfies the hypotheses statedin the introduction immediately above. The function returns two values: an abeliangroup A and a map m from A to E. The map m provides an isomorphism betweenthe abstract group A and the Mordell–Weil group.

The algorithm used by default is the geometric method described above. Howeverwhen Al is set to "Descent", it instead uses the 2-descent tools described in thenext section; if the curve admits 2-isogenies, it uses a separate implementation ofdescent by 2-isogenies (described in [Rob07]). These descent methods do not alwaysdetermine the full Mordell-Weil group (in which case a warning is printed); howeverthe advantages are that they do not require the degrees of the coefficients to bebounded, and in many cases are very efficient.

MordellWeilLattice(E)

The Mordell–Weil lattice of an elliptic curve E that satisfies the hypotheses statedin the introduction immediately above. This is the free part of the Mordell–Weilgroup, with an inner product given by the Neron-Tate height pairing. The functionreturns two values: the lattice L and a map m from L to E.

GeometricMordellWeilLattice(E)

The geometric Mordell–Weil lattice of an elliptic curve E that satisfies the hypothe-ses stated in the introduction immediately above. This consists of the free part ofthe group of points on E that are defined over the function field with a possiblyextended constant field, together with the Neron-Tate pairing. The function returns


two values: a lattice L and a map m from L to E′, where E′ is a base change of Eover the larger field.

Generators(E)

Given an elliptic curve E over a rational function field F that satisfies the hypothesesstated in the introduction immediately above, this function returns a sequence ofpoints in E(F ) which are generators of the Mordell-Weil group.

Example H105E1

We find that the curve y2 = x3 +(t4 +2t2)x + t3 +2t over F3(t) has rank 2 and has no 2-torsionin its Tate-Shafarevich group.

> F<t> := FunctionField(GF(3));

> E := EllipticCurve([ t^4 + 2*t^2, t^3 + 2*t ]);

> S2E := TwoSelmerGroup(E);

> S2E;

Abelian Group isomorphic to Z/2 + Z/2


Relations:

2*S2E.1 = 0

2*S2E.2 = 0

> MordellWeilGroup(E);

Abelian Group isomorphic to Z + Z


Mapping from: Abelian Group isomorphic to Z + Z

Defined on 2 generators (free) to CrvEll: E given by a rule [no inverse]

Furthermore, we may compute the regulator of E as follows.

> Determinant(HeightPairingMatrix(Generators(E)));

12

105.6 Two-descentIn odd characteristic, the 2-Selmer group can be computed, and its elements can be rep-resented as minimized 2-coverings. A search for points on these 2-coverings can be made.

In characteristic 2, for an ordinary curve E, descent by 2-isogeny can be performedusing the isogenies E → Efrob → E. The Selmer groups for both isogenies are computed;if these have ranks s1 and s2, then the rank of E is at most s1 + s2 − 1.

TwoSelmerGroup(E)

The 2-Selmer group of an elliptic curve E defined over a rational function field Fq(t)of odd characteristic. This is returned as an abstract group, together with a mapto the relevant algebra.

The algorithm is standard (similar to the one used for elliptic curves over numberfields).


TwoDescent(E)

This represents the nontrivial elements of the 2-Selmer group of E as hyperellipticcurves C : y2 = f(x) of degree 4, and returns a sequence containing the curvestogether with a list containing the corresponding covering maps C → E. The ellipticcurve should be defined over a rational function field Fq(t) of odd characteristic.

The curves returned have polynomial coefficients and are minimized at all fi-nite places. The conic parametrization step uses the algorithm by Cremona andvan Hoeij.

QuarticMinimize(f)

This is the routine used by TwoDescent to minimize two-coverings. The functiontakes a homogeneous quartic in two variables with coefficients in a rational univariatefunction field, and returns a minimal quartic equivalent to f, together with thetransformation matrix.

Points(C : parameters)


This finds all rational points with height up to the given Bound on the hyperellipticcurve C, which must be defined over a rational function field Fq(t). The parameterBound is not optional, and it refers to the x-coordinate (logarithmic) height of thepoints: in other words the routine finds all projective points (X : Y : Z) where Xand Z are polynomials in t of degree less than or equal to the Bound.

PointsQI(C, H)

OnlyOne BoolElt Default : false

ExactBound BoolElt Default : false

This is an optimized routine for finding rational points on a curve given as anintersection of two quadrics, defined over a rational function field Fq(t). It searchesfor projective points whose coordinates are polynomials in t of degree up to H. Toguarantee finding all such points, the parameter ExactBound must be set to true.

The algorithm uses a lattice reduction method, described in [Rob07].

TwoIsogenySelmerGroups(E)

This performs descent by 2-isogenies for a non-supersingular elliptic curve E definedover a rational function field k(t) where k is finite of characteristic 2. The isogeniesused are the Frobenius map E → Efrob : (x, y) 7→ (x2, y2), and the dual isogenyEfrob → E (which is separable). The function returns four objects: the Selmergroup Ssep of the separable isogeny (as an abstract group), followed by the Selmergroup SFrob of the Frobenius isogeny, followed by maps Ssep → k(t)/Φ(k(t)) andSFrob → k(t)∗/(k(t)∗)2. Here Φ denotes the Artin-Schreier map a 7→ a2 + a.

Notes describing the algorithm will be made available (on request). The theo-retical background is presented in [Kra77].


105.7 The L-function and counting points

To compute the L-function, one can use the intrinsic LFunction, or alternatively one cando it “by hand”, using the tools in this section and the next section (as illustrated inExample H105E6).

LFunction(E)

LFunction(E,s)


The L-function of the elliptic curve E, which should be defined over a rationalfunction field over a finite field.

To speed up the computation, the points in s are used to reduce the unknownpart of H2; s should be a sequence of points on E, or on some base change of E byan extension of the constant field. If the parameter Check is false, then the pointsin s must form a basis for a subgroup of the geometric Mordell-Weil group modulotorsion that is mapped to itself by the Galois group of the extension of the fields ofconstants.

LFunction(E, e)

The L-function for the base change of the elliptic curve E by a constant field exten-sion of degree e.

AnalyticRank(E)

The Mordell–Weil rank of E as predicted by Tate’s version of the Birch–Swinnerton-Dyer conjecture (or equivalently, the Artin-Tate conjecture). This is an uncondi-tional upperbound, and is proved to be the actual rank for several classes of curves,such as those arising from rational elliptic surfaces, and K3 elliptic surfaces. It isrequired that E is defined over a function field over a finite field.

AnalyticInformation(E)

AnalyticInformation(E,L)

AnalyticInformation(E,e)

This function computes what is predicted by the Birch–Swinnerton-Dyer (or Artin–Tate) conjecture about E, which should be an elliptic curve defined over a functionfield over a finite field. The data is given as a tuple consisting of the rank, geometricrank, and the product of the order of Tate–Shafarevich group and the regulator.

When a polynomial L is given as a second argument, Magma will assume thatL is the L-function of E.

When an integer e is given as a second argument, the program will return analyticdata for the base change of E by the constant field extension of degree e. This ismore efficient than simply calling AnalyticInformation on the base change.


Example H105E2

The curve y2 = x3 + 2t2x + (t3 + 2t2 + 2t) over F3(t) has rank 0 and its Tate-Shafarevich groupcontains Z/3⊕Z/3. We may conclude this (unconditionally) from the analytic information, sincethe Tate conjecture is proved for rational elliptic surfaces.


> E := EllipticCurve([ 2*t^2, t^3 + 2*t^2 + 2*t ]);

> AnalyticInformation(E);

<0, 4, 9>

Furthermore, the rank of E(F3(t)) is 4.

Example H105E3

We consider again the curve y2 = x3 + (t4 + 2t2)x + t3 + 2t over F3(t), which was found to haverank 2 and regulator 12 in Example H105E1.


> E := EllipticCurve([ t^4 + 2*t^2, t^3 + 2*t ]);

> AnalyticInformation(E);

<2, 8, 12>

This confirms that the rank is 2, and tells us that the regulator multiplied by the order of Sha is12, in other words the Tate-Shafarevich group is trivial. Again this is unconditional.

NumberOfPointsOnSurface(E, e)

Number of points on the Kodaira-Neron model of the elliptic curve E over an ex-tension of the constant field of degree e.

NumbersOfPointsOnSurface(E, e)

If an elliptic curve E is defined over a function field over a finite field of q elements,then this intrinsic computes a sequence containing the number of points on thecorresponding Kodaira-Neron model of E over extensions of GF (q) of degree up toe, and the number of points on the base curve over these extensions.

BettiNumber(E, i)

The i-th Betti number of the Kodaira-Neron model of the elliptic surface corre-sponding to the elliptic curve E.

CharacteristicPolynomialFromTraces(traces)

Given a sequence traces = [t1, t2, . . . , td], this computes a polynomial of degree dwith constant coefficient equal to 1, of which the j-th powersum of the reciprocalzeroes is equal to tj . This is typically used when one wants to compute the charac-teristic polynomial of Frobenius acting on some piece of cohomology from traces ofvarious powers of Frobenius.


CharacteristicPolynomialFromTraces(traces, d, q, i)

Given a sequence of field elements [t1, t2, . . . , tk], and integers d, q and i, this com-putes a polynomial of degree d with constant coefficient 1, for which the reciprocalsof zeroes have absolute value qi/2, and the j-th powersum of the reciprocals of ze-roes equals tj . For this function one must have k at least equal to Floor(d/2). Apriori the leading coefficient of the polynomials is not be determined from the list oftraces; in this case two polynomials are returned, one for each choice of sign. Oneusually needs to provide Ceiling(d/2) traces in order to determine the sign, but incertain cases more traces are required. This function is typically used when onewants to compute the characteristic polynomial of Frobenius acting on a piece ofthe i-th cohomology group from traces of various powers of Frobenius.

105.8 Action of Frobenius

Frobenius(P,q)

The q-th power Frobenius map on the point P of an elliptic curve that can be definedover a function field with constant field GF(q).

FrobeniusActionOnPoints(s, q : parameters)

gram AlgMatElt Default :

A matrix representing the q-power Frobenius map on the subgroup of the geometricMordell–Weil group (modulo torsion) with the given basis s. (This subgroup isassumed to be invariant under the q-power Frobenius.)

The optional parameter gram should be the gram matrix with respect to theheight pairing of the points in s.

FrobeniusActionOnReducibleFiber(L)

Given reduction data L for an elliptic curve E, such as given by the commandLocalInformation, this function returns a matrix representing the Frobenius actionon the non-identity components of corresponding fibres.

FrobeniusActionOnTrivialLattice(E)

Given an elliptic curve E defined over a rational function field over a finite field,returns a matrix representing the Frobenius action on fiber components and the zerosection of the corresponding elliptic surface.


105.9 Extended Examples

Example H105E4

In this example we construct an elliptic curve by using a pencil of cubic curves passing through 8given points. The 8 points are defined over GF (18318) and form a Galois orbit over GF (1831).

> p:=1831;

> F:=GF(p);

> Fe:=ext<F | 8>;

> K<t>:=FunctionField(F);

> P2<X,Y,Z>:=ProjectivePlane(K);

> // define the 8 points:

> points:=[[u^(pî),(u^3+u+1)^(pî)] : i in [0..7]];

> M:=[[p[1]î*p[2]^j : i in [0..3-j], j in [0..3]]: p in points];

> // find the coefficients of 2 cubics that pass through the points:

> B:=Basis(Kernel(Transpose(Matrix(M))));

> R<x,y>:=PolynomialRing(F,2);

> mono_aff:=[xî*y^j : i in [0..3-j], j in [0..3]];

> // f1 and f2 are the cubics:

> f1:=&+[(F!B[1][i])*mono_aff[i] : i in [1..10]];

> f2:=&+[(F!B[2][i])*mono_aff[i] : i in [1..10]];

> // Find the 9th intersection point, which we use as zero, to put

> // it to a nice Weierstrass model :

> P9:=Points(Scheme(Spec(R),[f1,f2]))[1];

> F1:=Homogenization(Evaluate(f1,[X,Y]),Z);

> F2:=Homogenization(Evaluate(f2,[X,Y]),Z);

> C:=Curve(P2,F1+t*F2);

> E:=MinimalDegreeModel(EllipticCurve(C,C![P9[1],P9[2]]));

We could transfer the 8 points to this Weierstrass model, and use them to determine the Mordell–Weil group. Instead, we will see what magma is able to compute, just from the Weierstrassmodel.

> KodairaSymbols(E);

[ <I1, 1>, <I1, 7>, <II, 1>, <I1, 2> ]

All fibers are irreducible. According to the theory of rational elliptic surfaces, the geometricMordell–Weil lattice should then be isomorphic to the root lattice E8. We can check this. Wealso compute the Mordell–Weil lattice over the ground field.

> Lgeom:=GeometricMordellWeilLattice(E);

> IsIsomorphic(Lgeom,Lattice("E",8));

true

[-1 0 -2 1 1 -1 0 -1]

[ 0 0 0 1 0 0 -1 1]

[ 2 0 2 -2 -1 1 1 0]

[-2 0 -1 0 1 0 0 -1]

[ 1 0 0 1 -1 -1 -1 1]

[-1 0 0 0 1 0 1 -1]


[ 2 -1 2 -3 -1 1 1 1]

[ 1 -1 1 -1 0 0 0 0]

> L,f:=MordellWeilLattice(E);

> L;

Standard Lattice of rank 1 and degree 1

Inner Product Matrix:

[8]

> f(L.1);

((1057*t^8 + 384*t^7 + 351*t^6 + 728*t^5 + 872*t^4 + 948*t^3 + 1473*t^2 + 257*t

+ 1333)/(t^6 + 100*t^5 + 1565*t^4 + 1145*t^3 + 927*t^2 + 1302*t + 1197) :

(1202*t^12 + 1506*t^11 + 1718*t^10 + 1365*t^9 + 656*t^8 + 325*t^7

+ 1173*t^6 + 902*t^5 + 1555*t^4 + 978*t^3 + 616*t^2 + 779*t +

964)/(t^9 + 150*t^8 + 1520*t^7 + 747*t^6 + 1065*t^5 + 340*t^4 +

1618*t^3 + 1669*t^2 + 1150*t + 1768) : 1)

That the rank equals 1 is not surprising. This point corresponds to the GF (1831)-rational degree8 divisor consisting of the sum of the 8 points we started with.To determine the L-function of E, one would normally have to count points over various extensionfields of GF (1831): in this case up to GF (18314). This would be costly using current techniques.But since Magma is able to determine the geometric Mordell–Weil lattice, it can compute theL-function by simply considering the Galois action on points. Magma automatically uses thiswhen asked for the L-function:

> LFunction(E);

-126330075128099803866555841*T^8 + 1

Example H105E5

In this example we determine the C(t)-rank of an elliptic curve, following [Klo07].

> K<t>:=FunctionField(Rationals());

> E:=EllipticCurve([-(2*t-1)^3*(4*t-1)^2,t*(2*t-1)^3*(4*t-1)^3]);

To determine where the surface has bad reduction, we determine the primes at which singularfibers collapse.

> &*BadPlaces(E);

(t^5 - 99/32*t^4 + 337/128*t^3 - 251/256*t^2 + 3/16*t - 1/64)/t

> Discriminant(Numerator($1));

-87887055375/4503599627370496

> Factorisation(Numerator($1));

[ <3, 15>, <5, 3>, <7, 2> ]

> Factorisation(Denominator($2));

[ <2, 52> ]

So 11 and 13 are the smallest primes of good reduction. We remark that in [Klo07] the primes 17and 19 where used.

> K11<t11>:=FunctionField(GF(11));

> E11:=ChangeRing(E,K11); // Reduce E mod 11

> LFunction(E11);


161051*T^5 - 7986*T^4 - 363*T^3 - 33*T^2 - 6*T + 1

> AnalyticInformation(E11);

<0, 1, 1>

> AnalyticInformation(E11,2);

<1, 1, 35/2>

So modulo 11 the rank is 0, but over F112(t) the rank equals the geometric rank which is 1, andthe height of a generator is congruent to 35

2modulo Q2. From this it can be concluded that the

geometric rank in characteristic 0 is at most 1. As modulo any p of good reduction the L-functionhas odd degree 5, it will always have a zero at 1/p or −1/p, and consequently, the geometric rankmodulo p will always be at least 1. To determine what the geometric rank is in characteristiczero, one can combine information at 2 different primes.

> K13<t13>:=FunctionField(GF(13));

> E13:=ChangeRing(E,K13); // Redude E mod 13

> AnalyticInformation(E13);

<0, 1, 1>

> AnalyticInformation(E13,2);

<1, 1, 121/2>

So over F132(t) the rank equals the geometric rank 1. The height of a generator is congruent to1212

modulo Q2. As the quotient of the heights of generators in characteristics 11 and 13 is nota square in Q, there can not exist a Mordell-Weil group in characteristic zero that both modulo11 and 13 reduces to a finite index subgroup of the Mordell-Weil group modulo p. Hence one canconclude that the geometric Mordell-Weil rank in characteristic zero is zero.

Example H105E6

In this example we calculate part of the L-function of an elliptic curve for which it is notfeasible to compute the L-function completely. The simplest way to compute an L-function is tocall LFunction, which counts points on the surface over certain constant field extensions. Howeverif the required extension fields are too big, LFunction will not terminate. One can determine therequired extension degrees as follows.

> K<t>:=FunctionField(GF(5));

> E:=EllipticCurve([t^9+t^2,t^14+t^4+t^3]);

> h2:=BettiNumber(E,2);

> N:=FrobeniusActionOnTrivialLattice(E);

> [h2, h2-NumberOfRows(N)];

[ 34, 21 ]

So the H2 has dimension 34, of which a 13-dimensional piece is generated by the trivial lattice,and a 21-dimensional piece is unknown. To determine the L-function, one would have to at leastcount points over F510 . As this is not feasible, we will count points over extension degrees up to5 and print the first few coefficients of the L-function.

> nop:=NumbersOfPointsOnSurface(E,5);

> traces:=[nop[i]-1-25î-5î*Trace(Nî) : i in [1..5]];

> CharacteristicPolynomialFromTraces(traces);

5750*T^5 + 875*T^4 - 40*T^3 - 40*T^2 + 1


105.10 Bibliography[Klo07] Remke Kloosterman. Elliptic K3 surfaces with geometric Mordell-Weil rank 15.

Canadian Mathematical Bulletin, 50(2):215–226, 2007.[Kra77] K. Kramer. Two-Descent for Elliptic Curves in Characteristic Two. Trans.

Amer. Math. Soc., 232:279–295, 1977.[Rob07] David Roberts. PhD thesis, University of Nottingham, 2007.

106 MODELS OF GENUS ONE CURVES106.1 Introduction . . . . . . . 3401

106.2 Related functionality . . . 3402

106.3 Creation of Genus One Models3402

GenusOneModel(n,seq) 3402GenusOneModel(seq) 3402GenusOneModel(n,str) 3402GenusOneModel(C) 3402GenusOneModel(f) 3402GenusOneModel(seq) 3402GenusOneModel(n,E) 3402GenusOneModel(mat) 3403GenusOneModel(mats) 3403CompleteTheSquare(model) 3403RandomGenusOneModel(n) 3403RandomModel(n) 3403GenericModel(n) 3403ChangeRing(model,B) 3403CubicFromPoint(E, P) 3403HesseModel(n, seq) 3403DiagonalModel(n, seq) 3403

106.4 Predicates on Genus One Mod-els . . . . . . . . . . . . 3405

IsGenusOneModel(f) 3405IsGenusOneModel(seq) 3405IsGenusOneModel(mat) 3405IsEquivalent(model1,model2) 3405IsEquivalent(cubic1,cubic2) 3405

106.5 Access Functions . . . . . 3405

Degree(model) 3405DefiningEquations(model) 3405Equations(model) 3405Matrix(model) 3405Curve(model) 3406HyperellipticCurve(model) 3406QuadricIntersection(model) 3406Matrices(model) 3406BaseRing(model) 3406PolynomialRing(model) 3406Eltseq(model) 3406ModelToString(model) 3406

106.6 Minimisation and Reduction 3406

Minimise(C) 3407Minimise(model) 3407pMinimise(C, p) 3407Reduce(C) 3407

Reduce(M) 3407ReduceQuadrics(seq) 3407

106.7 Genus One Models as Cover-ings . . . . . . . . . . . 3408

Jacobian(model) 3408Jacobian(C) 3408nCovering(model : -) 3408AddCubics(cubic1, cubic2 : -) 3408AddCubics(model1, model2 : -) 3408+ 3408DoubleGenusOneModel(model) 3408FourToTwoCovering(M : -) 3409FourToTwoCovering(C : -) 3409

106.8 Families of Elliptic Curveswith Prescribed n-Torsion . 3409

RubinSilverbergPolynomials(n, J : -) 3409

106.9 Transformations betweenGenus One Models . . . . 3409

IsTransformation(n,g) 3410RandomTransformation(n : -) 3410* 3410ApplyTransformation(g,model) 3410* 3410ComposeTransformations(g1,g2) 3410ScalingFactor(g) 3410

106.10 Invariants for Genus One Mod-els . . . . . . . . . . . . 3410

aInvariants(model) 3410bInvariants(model) 3410cInvariants(model) 3411Invariants(model) 3411Discriminant(model) 3411SL4Invariants(model) 3411

106.11 Covariants and Contravariantsfor Genus One Models . . . 3411

Hessian(model) 3411CoveringCovariants(model) 3411Contravariants(model) 3411HesseCovariants(model,r) 3411HessePolynomials(n, r,

invariants : -) 3412

106.12 Extended Example . . . . 3412

106.13 Bibliography . . . . . . . 3414

Chapter 106

MODELS OF GENUS ONE CURVES

106.1 Introduction

This chapter deals with curves of genus one that are given by equations in a particularform. Most of the functionality involves invariant theory of these models, and applicationsof this to arithmetic problems concerning genus one curves over number fields.

Geometrically (viewed over an algebraically closed field) a genus one model of degreen is an elliptic curve embedded in Pn−1 via the linear system |n.O|. In general, a genusone model of degree n is a principal homogeneous space for an elliptic curve (of ordern in the Weil-Chatelet group) which is embedded in Pn−1 in an analogous way. Suchmodels are sometimes called genus one normal curves. Not every element of order n inthe Weil-Chatelet group admits such an embedding, although it does if it is everywherelocally soluble.

Genus one models may be defined in Magma over any ring. The degree n can be 2, 3, 4or 5. Genus one models have their own type, ModelG1, in Magma, which is not a subtypeof any other type. In particular, these objects are not curves or even schemes. The datathat defines a genus one model is either a multivariate polynomial (for degree 2 or 3), apair of multivariate polynomials (degree 4), or a matrix of linear forms (degree 5). Eachof these are now described in detail.

A genus one model of degree 2 in Magma is defined by either a binary quartic g(x, z)(referred to as a model without CrossTerms), or more generally an equation y2+f(x, z)y−g(x, z) where f and g are homogeneous of degrees 2 and 4, and the variables x, z, y areassigned weights 1, 1, 2 respectively. A binary quartic g(x, z) defines the same model asthe equation y2 − g(x, z). (The implicit map is the projection to P1

x,z, which in this caseis not an embedding, but rather has degree 2.)

A genus one model of degree 3 in Magma is defined by a cubic form in 3 variables. (inother words, the equation of a projective plane cubic curve).

A genus one model of degree 4 in Magma is defined by a sequence of two homogeneouspolynomials of degree 2 in 4 variables. This represents an intersection of two quadric formsin P3 (which is the standard form in which Magma returns curves that are obtained bydoing FourDescent on an elliptic curve).

A genus one model of degree 5 in Magma is defined by a 5 by 5 alternating matrixwhose entries are linear forms in 5 variables. The associated subscheme of P4 is cut outby the 4 by 4 Pfaffians of the matrix. It is known that every genus one normal curve ofdegree 5 arises in this way.

It’s important to note that degenerate cases are allowed, which means that the schemeassociated to a genus one model is not always a smooth curve of genus 1 (or even a curve).


106.2 Related functionality

Section 103.8.11, which concerns three descent on elliptic curves, is relevant for studyingrational points on plane cubics (genus one models of degree 3) over the rationals.

A very efficient PointSearch for schemes is available; for details see Section 98.13.4.This will find all rational points up to absolute height H on the curve associated to a givengenus one model in time O(H2/d), where d is the dimension of the ambient projectivespace.

106.3 Creation of Genus One Models

GenusOneModel(n,seq)

GenusOneModel(seq)

GenusOneModel(n,str)

The genus one model of degree n (where n is 2, 3, 4 or 5) determined by the coeffi-cients in the given sequence or string. The coefficients may belong to any ring.

A sequence [a, b, c, d, e] of length 5 is interpreted as the degree 2 model ax4 +bx3z + cx2z2 + dxz3 + ez4. A sequence [f, g, h, a, b, c, d, e] of length 8 is interpretedas the degree 2 model y2 + y(fx2 + gxz + hz2)− (ax4 + bx3z + cx2z2 + dxz3 + ez4).

A sequence [a, b, c, d, e, f, g, h, i, j] of length 10 is interpreted as the degree 3model ax3 + by3 + cz3 + dx2y + ex2z + fy2x + gy2z + hz2x + iz2y + jxyz.

Sequences of lengths 20 or 50 are interpreted as models of degree 4 or 5 re-spectively; however, it is easier to create these by specifying matrices instead (seebelow).

The sequence of coefficients can be recovered by calling Eltseq.

GenusOneModel(C)

A genus one model that represents the given curve C.For degree n = 2, C should either be a subscheme of a weighted projective space

P (1, 1, 2), or a hyperelliptic curve. For degrees n = 3, 4 or 5, C should be a genus onenormal curve of degree n: in other words a plane cubic (for n = 3), an intersection of twoquadrics in P 3 (for n = 4), or an intersection of five quadrics in P 4 (for n = 5).

GenusOneModel(f)

GenusOneModel(seq)

The genus one model given by the polynomial f , or the sequence of equations seq.

GenusOneModel(n,E)

A genus one model of degree n (where n is 2, 3, 4 or 5) representing the elliptic curveE embedded in Pn−1 via the linear system |n.O|. Also returned are the image ofthe embedding as a curve C, and also maps of schemes E → C and C → E.

Ch. 106 MODELS OF GENUS ONE CURVES 3403

GenusOneModel(mat)

The genus one model of degree 5 associated to the given 5 by 5 matrix.

GenusOneModel(mats)

The genus one model of degree 4 determined by the given pair of 4 by 4 sym-metric matrices in the sequence mats. (The matrices can be recovered by callingModelToMatrices).

CompleteTheSquare(model)

Simplifies a genus one model of degree 2 by completing the square of the multivariatepolynomial f .

RandomGenusOneModel(n)

RandomModel(n)

Size RngIntElt Default :

A random genus one model of degree n, where n is 2, 3, 4 or 5.

GenericModel(n)

The generic genus one model of degree n, where n is 2, 3, 4 or 5. (The coefficientsare indeterminates in a polynomial ring).

ChangeRing(model,B)

The genus one model defined over the ring B obtained by coercing the coefficientsof the given genus one model into B.

CubicFromPoint(E, P)

The 3-covering corresponding to the rational point P on an elliptic curve E. The 3-covering is returned as the equation of a projective plane cubic curve. Also returnedare the covering map, and a point that maps to P under the covering map.

HesseModel(n, seq)

A genus one model of degree n invariant under the standard representation of theHeisenberg group. The second argument should be a sequence of two ring elements.

DiagonalModel(n, seq)

A genus one model of degree n invariant under the diagonal action of µn. Thesecond argument should be a sequence of n ring elements.


Example H106E1

We construct the genus one model of degree 5 obtained from the generic elliptic curve Ea,b : y2 =x3 + ax + b over Q(a, b). The model is the image of Ea,b under the embedding in P4 given by thelinear system |5.O|.> K<a,b> := FunctionField(Rationals(),2);

> Eab := EllipticCurve([a,b]);

> model := GenusOneModel(5,Eab);

> model;

[ 0 -b*x1 - a*x2 x5 x4 x3]

[ b*x1 + a*x2 0 x4 x3 x2]

[ -x5 -x4 0 -x2 0]

[ -x4 -x3 x2 0 x1]

[ -x3 -x2 0 -x1 0]

From this matrix, which is the data storing the model, the equations of the curve in P4 can becomputed (they are quadratic forms, given by the 4 by 4 Pfaffians of the matrix).

> Equations(model);

[

-x1*x4 + x2^2,

x1*x5 - x2*x3,

b*x1^2 + a*x1*x2 + x2*x4 - x3^2,

-x2*x5 + x3*x4,

-b*x1*x2 - a*x2^2 + x3*x5 - x4^2

]

Note that the degree 5 model has the same invariants c4, c6, ∆ as Ea,b:

> Invariants(model);

-48*a

-864*b

-64*a^3 - 432*b^2

> cInvariants(Eab), Discriminant(Eab);

[

-48*a,

-864*b

]

-64*a^3 - 432*b^2


106.4 Predicates on Genus One Models

IsGenusOneModel(f)

IsGenusOneModel(seq)

IsGenusOneModel(mat)

Return true if and only if the given polynomial, sequence of polynomials or matrixdetermines a “genus one model” in the sense described in the introduction to thischapter. When true, the model is also returned.

Important note: This does not imply that the associated scheme is a curve ofgenus 1, as degenerate cases are allowed!

IsEquivalent(model1,model2)

IsEquivalent(cubic1,cubic2)

Return true if and only if the two given cubics (or genus one models of degree 3) areequivalent as genus one models (in other words, there is a linear transformation ofthe ambient projective space P2

Q which takes one cubic to the other, up to scaling).The algorithm is given in [Fis06].

When true, the transformation is also returned as a tuple (the syntax is explainedin Section 106.9, on transformations, below).

106.5 Access Functions

Degree(model)

The degree (2, 3, 4 or 5) of the given model.

DefiningEquations(model)

A sequence containing the equations by which the given genus one model (whichmust have degree 2, 3 or 4) is defined.

Equations(model)

A sequence containing equations for the scheme associated to the given genus onemodel (of any degree). For degree 2, 3 or 4 this is the same as DefiningEquations.

Matrix(model)

The defining matrix of a genus one model of degree 5.


Curve(model)

HyperellipticCurve(model)

QuadricIntersection(model)

The curve associated to the given genus one model.In the degree 2 case, the curve is hyperelliptic, of the form y2+f(x, z)y−g(x, z) =

0, but is only created explicitly as a hyperelliptic curve when HyperellipticCurveis called (otherwise it is created as a general curve in a weighted projective space inwhich the variables x, z and y have weights 1, 1 and 2).

In the degree 4 case, the curve is an intersection of two quadrics in P3.In degenerate cases where the equations of the model do not define a curve, an

error results.

Matrices(model)

For a genus one model of degree 4, this function returns a sequence containing two4 by 4 symmetric matrices representing the quadrics.

BaseRing(model)

The coefficient ring of the given model.

PolynomialRing(model)

The polynomial ring used to define the model.

Eltseq(model)

ModelToString(model)

A sequence or string containing the coefficients of the defining data of the givengenus one model (which is either a polynomial, a pair of polynomials, or a matrix).Note that is may not be the same thing as Eltseq. The model may be recoveredusing GenusOneModel.

106.6 Minimisation and Reduction

This section contains functions for computing simpler models for genus one curves over Q.The terminology, which is somewhat standard, is as follows. Minimisation refers to

computing a model which is isomorphic to the original one over its ground field, but notintegrally equivalent. The minimal model, roughly speaking, has as few primes in itsdiscriminant as possible. Reduction refers to computing a model which is equivalent (viaan integrally invertible transformation) to the original one, and whose coefficients havesmall height.


Minimise(C)

Minimise(model)

Verbose Minimise Maximum : 3

Given a genus one model with coefficients in Q (or a homogeneous polynomialC which defines a model of degree 2 or 3), this function returns a model whichis close to minimal, in the sense described above. The second returned value is atransformation of genus one models, which takes the original model to the minimisedmodel (the syntax for transformations is explained in Section 106.9 below).

This is currently not implemented for models of degree 5.

pMinimise(C, p)

Given the equation of a nonsingular projective plane cubic curve, this functionreturns a model which is minimal at p. Also returned is a matrix M giving thetransformation: up to scaling, the minimised cubic is the original cubic evaluatedat M.[x, y, z]tr.

Reduce(C)

Reduce(M)

Verbose Reduce Maximum : 3

A reduced model (in the sense described above) for the given genus one model (orfor a homogeneous polynomial C which defines a genus one model of degree 2 or 3).

The transformation of genus one models, taking the original model to the reducedmodel, is also returned (the syntax for transformations between genus one modelsis explained in Section 106.9 below).

ReduceQuadrics(seq)

Verbose Reduce Maximum : 3

This function computes a reduced basis for the space spanned by the given quadrics(which should be given as a sequence of homogeneous quadratic forms in variablesx1, . . . , xn). This means making a linear change of the homogeneous coordinates,and also finding a new basis for the space of forms, with the aim of making theresulting coefficients small. The second and third objects returned are matrices Sand T giving the transformation. The change of homogeneous coordinate variablesis given by S, while T specifies the change of basis of the space of forms. Thereturned forms are therefore obtained by substituting [x1, . . . , xn].S for [x1, . . . , xn]in the original forms, and then applying T to this basis of forms (where T acts fromthe left).


106.7 Genus One Models as Coverings

The curve defined by a genus one model of degree n is a principal homogeneous space forsome elliptic curve (namely the Jacobian of the curve). The data of the Jacobian, and thecovering map of degree n2, can be read from the invariants and covariants of the model.

Any two models with the same Jacobian can be added together, as elements of theWeil-Chatelet group. Below are functions for adding two models of degree 3, and for“doubling” models of degree 4 or 5.

A related function for degree 3 models is ThreeSelmerElement (see Section 103.8.11).For degree 4 models, the maps can also be computed using AssociatedEllipticCurve andAssociatedHyperellipticCurve from the package on four descent (see Section 103.8.9).

Jacobian(model)

Jacobian(C)

The Jacobian, returned as an elliptic curve, of the given genus one model, or of thecurve C corresponding to a genus one model.

nCovering(model : parameters)

E CrvEll Default :

The covering map from the given genus one model to its Jacobian. Three values arereturned: the curve C of degree n corresponding to the given model, its Jacobianas an elliptic curve E, and a map of schemes C → E.

If an elliptic curve E is given, it must be isomorphic to the Jacobian, and thenthis curve will be the image of the map.

AddCubics(cubic1, cubic2 : parameters)

AddCubics(model1, model2 : parameters)

model1 + model2

E CrvEll Default :

ReturnBoth BoolElt Default : false

Given two ternary cubic polynomials, or two genus one models of degree 3, thatboth have the same invariants, the function computes the sum of the correspondingelements of H1(Q, E[3]).

If the two cubics do not belong to the same elliptic curve E, an error results. SeeSection 103.8.11 for more information about AddCubics.

DoubleGenusOneModel(model)

Given a genus one model of degree 4 or 5, this function computes twice the associatedelement in the Weil-Chatelet group, and returns this as a genus one model (whichwill have degree 2 or 5, respectively).


FourToTwoCovering(M : parameters)

FourToTwoCovering(C : parameters)

C2 Crv Default :

Given a genus one model M of degree 4, or associated curve, this function returnsthree values: the curve C4 in P3 given by M , a plane quartic curve C2 representingtwo times M (in the Weil-Chatelet group), and the map of schemes C4 → C2. Thesame information is provided by AssociatedHyperellipticCurve(Curve(model)).

106.8 Families of Elliptic Curves with Prescribed n-Torsion

In [RS95], Rubin and Silverberg explicitly construct families of elliptic curve over Q whichhave the same Galois representation on the n-torsion subgroups as a given elliptic curve.

RubinSilverbergPolynomials(n, J : parameters)

Parameter RngElt Default :

Suppose n = 2, 3, 4 or 5 and let E : y2 = x3 + ax + b be an elliptic curve over therationals with j-invariant 1728J . The function returns polynomials α(t) and β(t)that determine a family of elliptic curves with fixed n-torsion, in the following sense:Every nonsingular member Ft of the family F : y2 = x3 + aα(t)x + bβ(t) has Ft[n]isomorphic to E[n], as Z[G]-modules where G is the absolute Galois group of Q,and furthermore the isomorphisms between Ft[n] and E[n] preserve the Weil pairing.When n is 3, 4 or 5, all such “n-congruent” curves belong to the same family.

106.9 Transformations between Genus One ModelsA transformation between two genus one models of degree n = 2, 3, 4 or 5 is a tupleconsisting of two elements. The second element is an n × n matrix determining a lineartransformation of the projective coordinates (acting on them from the right). The firstelement is a “rescaling”, which is either a matrix or a scalar.

For degree 2 models q(x, z) (without CrossTerms), or for degree 3 models, a transfor-mation is a tuple 〈k, S〉, where k an element of the coefficient ring; the transformed modelis obtained by making the substitution of coordinate variables determined by S and mul-tiplying the equation by k. For degree 2 models y2 + a(x, z)y + b(x, z), a transformation isa tuple 〈k, [A, B,C], S〉, where k and S are as above, and in addition y +Ax2 +Bxz +Cz2

is substituted for y in the transformation. For degree 4, the first element is a 2× 2 matrix;a model of degree 4 is given by two quadric equations, and the 2× 2 matrix determines achange of basis of the quadrics (acting on them from the left). A transformation of degree5 models is a tuple 〈T, S〉 where T and S are both 5× 5 matrices; a model of degree 5 isgiven by a 5×5 matrix of linear forms M , and the transformed model is given by TMST tr

where MS is obtained from M by making the substitution of coordinate variables specifiedby S.

Two genus one models are said to be equivalent if they differ by one of these trans-formations. Equivalent models have the same invariants up to scaling by the 4th and 6thpowers of some element, given by ScalingFactor.


IsTransformation(n,g)

Return true if and only if the tuple g represents a transformation between genusone models of degree n.

RandomTransformation(n : parameters)

Size RngIntElt Default : 5Unimodular BoolElt Default : false

CrossTerms BoolElt Default : false

A tuple that represents a random transformation between genus one models of de-gree n. When Unimodular is set to true, the returned transformation is integrallyinvertible.

The optional parameter Size is passed to RandomSL or RandomGL.In degree 2, if CrossTerms is false, the returned transformation preserves the set

of models with no cross terms.

g * model

ApplyTransformation(g,model)

The result of applying the transformation g to the second argument, which shouldbe a genus one model.

g1 * g2

ComposeTransformations(g1,g2)

The composition g1 ∗ g2 of two transformations of genus one models. Transforma-tions of genus one models act on the left, so (g1 ∗ g2) ∗ f = g1 ∗ (g2 ∗ f).

ScalingFactor(g)

The scaling factor of a transformation g between genus one models is an element λ,such that if a genus one model has invariants c4 and c6, then the transformed modelhas invariants λ4c4 and λ6c6.

106.10 Invariants for Genus One Models

aInvariants(model)

The invariants [a1, a2, a3, a4, a6] of the given genus one model which must havedegree 2, 3 or 4. The formulae in the degree 3 case come from [ARVT05].

bInvariants(model)

The invariants [b2, b4, b6, b8] of the given genus one model which must have degree2, 3 or 4. These are computed from the aInvariants in the standard way (as forelliptic curves).


cInvariants(model)

The invariants [c4, c6] of the given genus one model. For n = 2, 3, 4 these are theclassical invariants, as can be found in [AKM+01]. For n = 5 the algorithm isdescribed in [Fis].

Invariants(model)

The invariants c4, c6 and ∆ (the discriminant) of the given genus one model.

Discriminant(model)

The discriminant ∆ of the given genus one model.

SL4Invariants(model)

The SL4-invariants of a genus one model of degree 4.

106.11 Covariants and Contravariants for Genus One Models

Hessian(model)

We write Xn for the (affine) space of genus one models of degree n. The moduleof covariants Xn → Xn is a free module of rank 2 over the ring of invariants.The generators are the identity map, and a second covariant, which we term theHessian. (In the cases n = 2, 3 this is the determinant of a matrix of second partialderivatives.) This function evaluates the Hessian of the given genus one model.

CoveringCovariants(model)

The covariants that define the covering map from the given genus one model to itsJacobian (this is the same as the defining equations of the nCovering).

Contravariants(model)

We write Xn for the (affine) space of genus one models of degree n, and X∗n for

its dual. The module of contravariants Xn → X∗n is a free module of rank 2 over

the ring of invariants. This function evaluates the generators P and Q at the givengenus one model.

HesseCovariants(model,r)

Evaluates a pair of covariants, which depend on an integer r, at the genus one modelf or model of degree prime to r. The pencil spanned by these genus one models is afamily of genus one curves invariant under the same representation of the Heisenberggroup. (In other words the universal family above a twist of X(n).)

If r ≡ 1 (mod n) then the covariants evaluated are the identity map andthe Hessian. If r ≡ −1 (mod n) then the covariants evaluated are theContravariants. If n = 5 there are two further possibilities. We identifyX5 = ∧2V ⊗ W where V and W are 5-dimensional vector spaces. Then the co-variants evaluated for r ≡ 2, 3 (mod 5) take values in ∧2W ⊗ V ∗ and ∧2W ∗ ⊗ Vrespectively.


HessePolynomials(n, r, invariants : parameters)

Variables [ RngMPolElt ] Default :

The Hesse polynomials D(x, y), c4(x, y), c6(x, y). These polynomials give the in-variants for the pencil of genus one models computed by HesseCovariants. TheRubinSilverbergPolynomials are closely related to these formulae in the case r ≡ 1(mod n).

106.12 Extended Example

Example H106E2

We find a cubic which is a counter-example to the Hasse principle. The approach involves theidea of “visibility” of Tate-Shafarevich elements, which was introduced by Mazur (see [CM00]).The cubic will be a nontrivial element of the Tate-Shafarevich group of the curve 4343B1 inCremona’s tables, which we call E. The cubic will be obtained from a rational point on anauxiliary elliptic curve F .First, we compute that E has rank 0, and F has rank 1:

> E := EllipticCurve([ 0, 0, 1, -325259, -71398995 ]);

> F := EllipticCurve([ 1, -1, 1, -24545, 1486216 ]);

> CremonaReference(E);

4343b1

> RankBounds(E);

0 0

> RankBounds(F);

1 1

We take a plane cubic representing one of the nontrivial elements in the 3-Selmer group of F ,which has order 3, so that its elements are all in the image of F (Q), since F (Q) has rank 1:

> SetClassGroupBounds(500);

> #ThreeSelmerGroup(F);

3

> coverings := ThreeDescent(F);

> coverings;

[


-3*x^2*z - 3*x*y^2 - 27*x*y*z + 12*x*z^2 + 2*y^3 + 21*y^2*z + 3*y*z^2 - 4*z^3

]

> C := Equation(coverings[1]);

We now try to find a linear combination of C and its Hessian (which is also a plane cubic) thathas j-invariant equal to the j-invariant of E. To find the right linear combination, we may workgeometrically (that is, with F instead of C, since they are isomorphic over Q). We work with thefamily tF + H (where t is an indeterminate).

> B<t> := PolynomialRing(Rationals());

> F_BR := ChangeRing(Parent(Equation(F)), B);


> F_B := F_BR ! Equation(F);

> H_B := Hessian(F_B);

> c4,c6,Delta := Invariants(t*F_B+H_B);

Alternatively we could get these invariants as follows:

> D,c4,c6 := HessePolynomials(3, 1, cInvariants(F) : Variables:=[t,1] );

> Delta := Discriminant(F)*D^3;

// Solve c4(t)^3/Delta(t) = j(E) for t:

> jpoly := c4^3 - jInvariant(E)*Delta;

> Roots(jpoly);

[ <7479/7, 1> ]

So we take the following linear combination (and replace the equation by a nicer equation):

> C2raw := 7479/7*C + Hessian(C);

> C2 := Reduce(Minimise(C2raw));

> C2;

7*x^3 + 7*x^2*y + 3*x^2*z - 4*x*y^2 - 30*x*y*z + 12*x*z^2 - 13*y^3 - 2*y^2*z -

15*y*z^2 - 17*z^3

The Jacobian of C2 is E, so C2 is a principal homogeneous space for E of index 3, and in fact itis everywhere locally soluble:

> IsIsomorphic(Jacobian(C2),E);

true

> PrimeDivisors( Integers()!Discriminant(GenusOneModel(C2)) );

[ 43, 101 ]

> C2_crv := Curve(ProjectiveSpace(Parent(C2)),C2);

> IsLocallySolvable( C2_crv, 43);

true (7 + O(43) : 1 + O(43^50) : O(43))

> IsLocallySolvable( C2_crv, 101);

true (1 + O(101^50) : 32 + O(101) : 1 + O(101))

// Find the preimage of the covering map C2 -> E:

> _,_,maptoE := nCovering(GenusOneModel(C2) : E:=E);

> preimage := Pullback(maptoE, E!0);

> Points(preimage); // Q-rational points

@ @

> TorsionSubgroup(E);

Abelian Group of order 1

We conclude that C2 has no rational points since, as E(Q) is trivial, any rational points on C2must map to OE .


106.13 Bibliography[AKM+01] Sang Yook An, Seog Young Kim, David C. Marshall, Susan H. Marshall,

William G. McCallum, and Alexander R. Perlis. Jacobians of genus one curves. J.Number Theory, 90(2):304–315, 2001.

[ARVT05] Michael Artin, Fernando Rodriguez-Villegas, and John Tate. On the Jaco-bians of plane cubics. Adv. Math., 198(1):366–382, 2005.

[CM00] John E. Cremona and Barry Mazur. Visualizing elements in the Shafarevich-Tate group. Experiment. Math., 9(1):13–28, 2000.

[Fis] T.A Fisher. The invariants of a genus one curve. preprint.URL:http://www.dpmms.cam.ac.uk/ taf1000/g1inv.html.

[Fis06] T.A. Fisher. Testing equivalence of ternary cubics. In S. Pauli F. Hess andM.Pohst, editors, ANTS VII, volume 4076 of LNCS, pages 333–345. Springer-Verlag,2006.

[RS95] K. Rubin and A. Silverberg. Families of elliptic curves with constant modp representations. In Elliptic curves, modular forms, & Fermat’s last theorem (HongKong, 1993), Ser. Number Theory, I, pages 148–161. Internat. Press, Cambridge, MA,1995.

107 HYPERELLIPTIC CURVES107.1 Introduction . . . . . . . 3419

107.2 Creation Functions . . . . 3419

107.2.1 Creation of a Hyperelliptic Curve 3419

HyperellipticCurve(f, h) 3419HyperellipticCurve(f) 3419HyperellipticCurve([f, h]) 3419HyperellipticCurve(P, f, h) 3420HyperellipticCurveOfGenus(g, f, h) 3420HyperellipticCurveOfGenus(g, f) 3420HyperellipticCurve

OfGenus(g, [f, h]) 3420HyperellipticCurve(E) 3420


IsHyperellipticCurve([f, h]) 3420IsHyperellipticCurve

OfGenus(g, [f, h]) 3420


BaseChange(C, K) 3421BaseExtend(C, K) 3421BaseChange(C, j) 3421BaseExtend(C, j) 3421BaseChange(C, n) 3421BaseExtend(C, n) 3421ChangeRing(C, K) 3421

107.2.4 Models . . . . . . . . . . . . 3422

SimplifiedModel(C) 3422HasOddDegreeModel(C) 3422IntegralModel(C) 3423MinimalWeierstrassModel(C) 3423pIntegralModel(C, p) 3423pNormalModel(C, p) 3423pMinimalWeierstrassModel(C, p) 3423ReducedModel(C) 3424ReducedMinimalWeierstrassModel(C) 3424SetVerbose("CrvHypReduce", v) 3424

107.2.5 Predicates on Models . . . . . 3424

IsSimplifiedModel(C) 3424IsIntegral(C) 3424IspIntegral(C, p) 3424IspNormal(C, p) 3424IspMinimal(C, p) 3425

107.2.6 Twisting Hyperelliptic Curves . . 3425

QuadraticTwist(C, d) 3425QuadraticTwist(C) 3425QuadraticTwists(C) 3425IsQuadraticTwist(C, D) 3425

107.2.7 Type Change Predicates . . . . 3426

IsEllipticCurve(C) 3426

107.3 Operations on Curves . . . 3426


HyperellipticPolynomials(C) 3426Degree(C) 3426Discriminant(C) 3426Genus(C) 3426

107.3.2 Igusa Invariants . . . . . . . . 3427

ClebschInvariants(C) 3427ClebschInvariants(f) 3428IgusaClebschInvariants(C: -) 3428IgusaClebschInvariants(f, h) 3428IgusaClebschInvariants(f: -) 3428IgusaInvariants(C: -) 3428JInvariants(C: -) 3428IgusaInvariants(f, h) 3429JInvariants(f, h) 3429IgusaInvariants(f: -) 3429JInvariants(f: -) 3429ScaledIgusaInvariants(f, h) 3429ScaledIgusaInvariants(f) 3429AbsoluteInvariants(C) 3429ClebschToIgusaClebsch(Q) 3429IgusaClebschToIgusa(S) 3429

107.3.3 Base Ring . . . . . . . . . . 3430

BaseField(C) 3430BaseRing(C) 3430CoefficientRing(C) 3430

107.4 Creation from Invariants . . 3430

HyperellipticCurveFromIgusaClebsch(S) 3430

107.5 Function Field . . . . . . 3431107.5.1 Function Field and Polynomial

Ring . . . . . . . . . . . . . 3431

FunctionField(C) 3431DefiningPolynomial(C) 3431EvaluatePolynomial(C, a, b, c) 3431EvaluatePolynomial(C, [a, b, c]) 3431

107.6 Points . . . . . . . . . . 3432


! 3432! 3432elt< > 3432elt< > 3432! 3432Points(C, x) 3432RationalPoints(C, x) 3432PointsAtInfinity(C) 3432IsPoint(C, S) 3432

107.6.2 Random Points . . . . . . . . 3433

Random(C) 3433



eq 3433ne 3433


P[i] 3434Eltseq(P) 3434ElementToSequence(P) 3434

107.6.5 Arithmetic of Points . . . . . . 3434

- 3434Involution(P) 3434

107.6.6 Enumeration and Counting Points 3434

NumberOfPointsAtInfinity(C) 3434PointsAtInfinity(C) 3434# 3434Points(C) 3435RationalPoints(C) 3435PointsKnown(C) 3435ZetaFunction(C) 3435ZetaFunction(C, K) 3435

107.6.7 Frobenius . . . . . . . . . . 3436

Frobenius(P, F) 3436

107.7 Isomorphisms andTransformations . . . . . . 3436

107.7.1 Creation of Isomorphisms . . . 3436

Aut(C) 3436Iso(C1, C2) 3436Transformation(C, t) 3437Transformation(C, u) 3437Transformation(C, e) 3437Transformation(C, e, u) 3437Transformation(C, t, e, u) 3437

107.7.2 Arithmetic with Isomorphisms . 3437

* 3437Inverse(f) 3437in 3437@ 3438Evaluate(f,P) 3438@@ 3438Pullback(f,P) 3438eq 3438

107.7.3 Invariants of Isomorphisms . . . 3438

Parent(f) 3438Domain(f) 3438Codomain(f) 3438

107.7.4 Automorphism Group andIsomorphism Testing . . . . . . 3438

IsGL2Equivalent(f, g, n) 3438IsIsomorphic(C1, C2) 3439AutomorphismGroup(C) 3439GeometricAutomorphismGroup(C) 3441

107.8 Jacobians . . . . . . . . 3442

107.8.1 Creation of a Jacobian . . . . . 3442

Jacobian(C) 3442


Curve(J) 3442Dimension(J) 3442

107.8.3 Base Ring . . . . . . . . . . 3442

BaseField(J) 3442BaseRing(J) 3442CoefficientRing(J) 3442


BaseChange(J, F) 3443BaseExtend(J, F) 3443BaseChange(J, j) 3443BaseExtend(J, j) 3443BaseChange(J, n) 3443BaseExtend(J, n) 3443

107.9 Points on the Jacobian . . . 3443


! 3444Id(J) 3444Identity(J) 3444! 3444elt< > 3444elt< > 3444elt< > 3444elt< > 3444- 3445! 3445elt< > 3445! 3445elt< > 3445D) 3445! 3445Points(J, a, d) 3445RationalPoints(J, a, d) 3445

107.9.2 Random Points . . . . . . . . 3447

Random(J) 3447

107.9.3 Booleans and Predicates for Points3448

eq 3448ne 3448IsZero(P) 3448IsIdentity(P) 3448




- 3448+ 3448+:= 3448- 3448-:= 3449

Ch. 107 HYPERELLIPTIC CURVES 3417

* 3449* 3449*:= 3449

107.9.6 Order of Points on the Jacobian . 3449

Order(P) 3449Order(P, l, u) 3449Order(P, l, u, n, m) 3449HasOrder(P, n) 3449

107.9.7 Frobenius . . . . . . . . . . 3450

Frobenius(P, k) 3450

107.9.8 Weil Pairing . . . . . . . . . 3450

WeilPairing(P, Q, m) 3450

107.10 Rational Points and GroupStructure over finite fields . 3451

107.10.1 Enumeration of Points . . . . . 3451

Points(J) 3451RationalPoints(J) 3451

107.10.2 Counting Points on the Jacobian 3451

SetVerbose("JacHypCnt", v) 3451# 3451Order(J) 3451FactoredOrder(J) 3455EulerFactor(J) 3455EulerFactorModChar(J) 3455EulerFactor(J, K) 3456

107.10.3 Deformation Point Counting . . 3456

JacobianOrdersByDeformation(Q, Y) 3456EulerFactorsByDeformation(Q, Y) 3456ZetaFunctionsByDeformation(Q, Y) 3456

107.10.4 Abelian Group Structure . . . . 3457

Sylow(J, p) 3457AbelianGroup(J) 3457HasAdditionAlgorithm(J) 3457

107.11 Jacobians over Number Fieldsor Q . . . . . . . . . . . 3458

107.11.1 Searching For Points . . . . . . 3458

Points(J) 3458RationalPoints(J) 3458

107.11.2 Torsion . . . . . . . . . . . 3458

TwoTorsionSubgroup(J) 3458TorsionBound(J, n) 3458TorsionSubgroup(J) 3458

107.11.3 Heights and Regulator . . . . . 3460

NaiveHeight(P) 3460Height(P: Precision) 3460CanonicalHeight(P: Precision) 3460HeightConstant(J: -) 3460HeightPairing(P, Q: Precision) 3461HeightPairingMatrix(S: Precision) 3461Regulator(S: Precision) 3461ReducedBasis(S: Precision) 3461

107.11.4 The 2-Selmer Group . . . . . . 3464

BadPrimes(C) 3464BadPrimes(J) 3464HasSquareSha(J) 3464IsEven(J) 3464IsDeficient(C, p) 3464RankBound(J) 3465RankBounds(J) 3465TwoSelmerGroup(J) 3465

107.12 Chabauty’s Method . . . . 3469

Chabauty0(J) 3469Chabauty(P, p: Precision) 3469

107.13 Kummer Surfaces . . . . . 3474

107.13.1 Creation of a Kummer Surface . 3474

KummerSurface(J) 3474

107.13.2 Structure Operations . . . . . 3474

DefiningPolynomial(K) 3474

107.13.3 Base Ring . . . . . . . . . . 3474

BaseField(K) 3474BaseRing(K) 3474CoefficientRing(K) 3474


BaseChange(K, F) 3474BaseExtend(K, F) 3474BaseChange(K, j) 3474BaseExtend(K, j) 3474BaseChange(K, n) 3474BaseExtend(K, n) 3474

107.14 Points on the Kummer Surface3475


! 3475! 3475! 3475IsPoint(K, S) 3475Points(K,[x1, x2, x3]) 3475




eq 3475ne 3475


- 3476* 3476* 3476Double(P) 3476PseudoAdd(P1, P2, P3) 3476PseudoAddMultiple(P1, P2, P3, n) 3476


107.14.5 Rational Points on the KummerSurface . . . . . . . . . . . . 3476

RationalPoints(K, Q) 3476

107.14.6 Pullback to the Jacobian . . . . 3477

Points(J, P) 3477RationalPoints(J, P) 3477

107.15 Analytic Jacobians of Hyperel-liptic Curves . . . . . . . 3477

107.15.1 Creation and Access Functions . 3478

AnalyticJacobian(f) 3478HyperellipticPolynomial(A) 3478SmallPeriodMatrix(A) 3478BigPeriodMatrix(A) 3479HomologyBasis(A) 3479Dimension(A) 3479Genus(A) 3479BaseField(A) 3479BaseRing(A) 3479CoefficientRing(A) 3479

107.15.2 Maps between Jacobians . . . . 3480

ToAnalyticJacobian(x, y, A) 3480FromAnalyticJacobian(z, A) 3480To2DUpperHalfSpace

FundamentalDomian(z) 3482AnalyticHomomorphisms(t1, t2) 3482IsIsomorphic

SmallPeriodMatrices(t1,t2) 3482IsIsomorphic

BigPeriodMatrices(P1, P2) 3482IsIsomorphic(A1, A2) 3482IsIsogenousPeriodMatrices(P1, P2) 3483IsIsogenous(A1, A2) 3483EndomorphismRing(P) 3483EndomorphismRing(A) 3483

107.15.3 From Period Matrix to Curve . . 3486

RosenhainInvariants(t) 3486

107.15.4 Voronoi Cells . . . . . . . . . 3488

Delaunay(sites) 3488Voronoi(sites) 3489

107.16 Bibliography . . . . . . . 3489

Chapter 107

HYPERELLIPTIC CURVES

107.1 IntroductionThis chapter contains descriptions of functions designed to perform calculations with

hyperelliptic curves and their Jacobians. A hyperelliptic curve, which is taken to includethe genus one case, is given by a nonsingular generalized Weierstrass equation

y2 + h(x)y = f(x),

where h(x) and f(x) are polynomials over a field K. The curve is viewed as embedded ina weighted projective space, with weights 1, g + 1, and 1, in which the points at infinityare nonsingular.

Functionality for hyperelliptic curves includes optimized algorithms for working ongenus two curves over Q, including heights on the Jacobian, and a datatype for the Kummersurface of the Jacobian. For Jacobians of curves over finite fields, there exist specializedalgorithms for computing the group structure of the set of rational points.

The category of hyperelliptic curves is CrvHyp and points on curves are of type PtHyp.Jacobians of hyperelliptic curves are of type JacHyp and points JacHypPt. Similarly, theKummer surface of a genus two curve is of type SrfKum with points of type SrfKumPt.

The initial development of machinery for hyperelliptic curves was undertaken byMichael Stoll, supported by members of the Magma group.

107.2 Creation Functions

107.2.1 Creation of a Hyperelliptic CurveA hyperelliptic curve C given by a generalized Weierstrass equation y2 + h(x)y = f(x) iscreated by specifying polynomials h(x) and f(x) over a field K. The class of hyperellipticcurves includes curves of genus one, and a hyperelliptic curve may also be constructed bytype change from an elliptic curve E. Note that the ambient space of C is a weightedprojective space in which the one or two points at infinity are nonsingular.

HyperellipticCurve(f, h)

HyperellipticCurve(f)

HyperellipticCurve([f, h])

Given two polynomials h and f ∈ R[x] where R is a field or integral domain, thisfunction returns the nonsingular hyperelliptic curve C : y2 + h(x)y = f(x). If h(x)is not given, then it is taken as zero. If R is an integral domain rather than a field,the base field of the curve is taken to be the field of fractions of R. An error isreturned if the given curve C is singular.


HyperellipticCurve(P, f, h)

Create the hyperelliptic curve as described above using the projective space P asthe ambient. The ambient P should have dimension 2.

HyperellipticCurveOfGenus(g, f, h)

HyperellipticCurveOfGenus(g, f)

HyperellipticCurveOfGenus(g, [f, h])

Given a positive integer g and two polynomials h and f ∈ R[x] where R is a field orintegral domain, this function returns the nonsingular hyperelliptic curve of genusg given by C : y2 + h(x)y = f(x). If h(x) is not given, then it is taken as zero.Before attempting to create C, the function checks that its genus will be g by testingvarious numerical conditions on f and g. If the genus is not correct, a runtime erroris raised. If R is an integral domain rather than a field, the base field of C is takento be the field of fractions of R. An error is returned if the curve C is singular.

HyperellipticCurve(E)

Returns the hyperelliptic curve C corresponding to the elliptic curve E, followed bythe map from E to C.


IsHyperellipticCurve([f, h])

Given a sequence containing two polynomials h, f ∈ R[x], where R is an integraldomain, return true if and only if C : y2 +h(x)y = f(x) is a hyperelliptic curve. Inthis case, the curve is returned as a second value.

IsHyperellipticCurveOfGenus(g, [f, h])

Given a positive integer g and a sequence containing two polynomials h, f ∈ R[x]where R is an integral domain, return true if and only if C : y2 + h(x)y = f(x) is ahyperelliptic curve of genus g. In this case, the curve is returned as a second value.

Example H107E1

Create a hyperelliptic curve over the rationals:

> P<x> := PolynomialRing(RationalField());

> C := HyperellipticCurve(x^6+x^2+1);

> C;

Hyperelliptic Curve defined by y^2 = x^6 + x^2 + 1 over Rational Field

> C![0,1,1];

(0 : 1 : 1)

Now create the same curve over a finite field:

> P<x> := PolynomialRing(GF(7));



> C;

Hyperelliptic Curve defined by y^2 = x^6 + x^2 + 1 over GF(7)

> C![0,1,1];

(0 : 1 : 1)

107.2.3 Changing the Base Ring

BaseChange(C, K)

BaseExtend(C, K)

Given a hyperelliptic curve C defined over a field k, and a field K which is anextension of k, return a hyperelliptic curve C ′ over K using the natural inclusion ofk in K to map the coefficients of C into elements of K.

BaseChange(C, j)

BaseExtend(C, j)

Given a hyperelliptic curve C defined over a field k and a ring map j : k → K,return a hyperelliptic curve C ′ over K by applying j to the coefficients of E.

BaseChange(C, n)

BaseExtend(C, n)

If C is a hyperelliptic curve defined over a finite field k and a positive integer n, letK denote the extension of k of degree n. This function returns a hyperelliptic curveC ′ over K using the natural inclusion of k in K to map the coefficients of C intoelements of K.

ChangeRing(C, K)

Given a hyperelliptic curve C defined over a field k, and a field K, return a hyper-elliptic curve C ′ over K that is obtained from C by by mapping the coefficients ofC into K using the standard coercion map from k to K. This is useful when thereis no appropriate ring homomorphism between k and K (e.g., when k = Q and Kis a finite field).


Example H107E2

We construct a curve C over the rationals and use ChangeRing to construct the correspondingcurve C1 over GF (101).


> C := HyperellipticCurve([x^9-x^2+57,x+1]);

> C1 := ChangeRing(C, GF(101));

> C1;

Hyperelliptic Curve defined by y^2 + (x + 1)*y = x^9 + 100*x^2 + 57

over GF(101)

> Q<t> := PolynomialRing(GF(101));

> HyperellipticPolynomials(C1);

t^9 + 100*t^2 + 57

t + 1

> C2, f := SimplifiedModel(C1);

> HyperellipticPolynomials(C2);

4*t^9 + 98*t^2 + 2*t + 27

0

> P1 := C1![31,30,1];

> P1;

(31 : 30 : 1)

> Q := P1@f; // evaluation

> Q;

(31 : 92 : 1)

> Q@@f; // pullback

(31 : 30 : 1)

An explanation of the syntax for isomorphisms of hyperelliptic curves and the functions for modelsis given below.

107.2.4 Models

SimplifiedModel(C)

Given a hyperelliptic curve C defined over a field of characteristic not equal to 2,this function returns an isomorphic hyperelliptic curve C ′ of the form y2 = f(x),followed by the isomorphism C → C ′.

HasOddDegreeModel(C)

Given a hyperelliptic curve C, this function returns true if C has a model C ′ ofthe form y2 = f(x), with f of odd degree. If so, C ′ is returned together with theisomorphism C → C ′.


IntegralModel(C)


Given a hyperelliptic curve C defined over the rationals, this function returns anisomorphic curve C ′ given by polynomials with integral coefficients, together withthe isomorphism C → C ′. If Reduce is set true, common divisors of the coefficientsare eliminated as far as possible.

MinimalWeierstrassModel(C)


Verbose CrvHypMinimal Maximum : 3

Given a hyperelliptic curve C defined over the rationals, this function returns aglobally minimal Weierstrass model C ′ of C. If Bound is set, it gives an upperbound for the bad primes that are checked. As this calculation uses trial division,Bound should not be set much larger than 107. The isomorphism C → C ′ is returnedas a second value.

pIntegralModel(C, p)


Given a hyperelliptic curve C defined over Q or a rational function field, this functionreturns a model C ′ of the curve that is integral at the place p given as an integer,rational, polynomial, rational function or ∞. The isomorphism C → C ′ is returnedas a second value.

pNormalModel(C, p)


Given a hyperelliptic curve C defined over Q or a rational function field, this functionreturns a model C ′ of the curve that is normal at the place p given as an integer,rational, polynomial, rational function or ∞. The isomorphism C → C ′ is returnedas a second value.

pMinimalWeierstrassModel(C, p)


Given a hyperelliptic curve C defined over Q or a rational function field, this functionreturns a Weierstrass model C ′ of the curve that is minimal at the place p given asan integer, rational, polynomial, rational function or ∞. The isomorphism C → C ′

is returned as a second value.


ReducedModel(C)

Simple BoolElt Default : false

Al MonStgElt Default : "Stoll"

Verbose CrvHypReduce Maximum : 3Given a hyperelliptic curve C with integral coefficients, this computes a reducedmodel C ′. If the Stoll algorithm is used (default) then the curve argument must haveintegral coefficients and reduction is performed with respect to the action of SL2(Z)on the (x, z)-coordinates. If the Wamelen algorithm is used, (Al := "Wamelen"),the curve must have genus 2. The isomorphism C → C ′ is currently returned onlyfor the algorithm of Stoll.

ReducedMinimalWeierstrassModel(C)

Simple BoolElt Default : false

Verbose CrvHypMinimal Maximum : 3Verbose CrvHypReduce Maximum : 3

Given a hyperelliptic curve C defined over the rationals, this function returns aglobally minimal integral Weierstrass model C ′ of C that is reduced with respect tothe action of SL2(Z), using Stoll’s algorithm in ReducedModel. The isomorphismC → C ′ is returned as a second value.

SetVerbose("CrvHypReduce", v)

This sets the verbose printing level for the curve reduction algorithms of Stoll andWamelen. The second argument can take integral values in the interval [0, 3], orboolean values: false (equivalent to 0) and true (equivalent to 1).

107.2.5 Predicates on Models

IsSimplifiedModel(C)

Returns true if the hyperelliptic curve C is of the form y2 = f(x).

IsIntegral(C)

Given a hyperelliptic curve C, the function returns true if C has integral coefficients,and false otherwise.

IspIntegral(C, p)

Given a hyperelliptic curve C defined over Q or a rational function field, this functionreturns true if the given model of C is integral at the given place.

IspNormal(C, p)

Given a hyperelliptic curve C defined over Q or a rational function field, this functionreturns true if the given model of C is normal at the given place.


IspMinimal(C, p)

Given a hyperelliptic curve C defined over Q or a rational function field, this functiondecides whether the given model of C is minimal at the given place. The returnedvalues as follows:• false, false if C is not an integral minimal model at the given place.• true, false if C is integral and minimal at the given place, but not the unique

minimal model (up to transformations that are invertible over the local ring).• true, false if C is the unique integral minimal model at the given place, (up to

transformations that are invertible over the local ring).

107.2.6 Twisting Hyperelliptic Curves

QuadraticTwist(C, d)

Given a hyperelliptic curve C defined over a field k of characteristic not equal to 2and an element d that is coercible into k, return the quadratic twist of C by d.

QuadraticTwist(C)

Given a hyperelliptic curve C defined over a finite field k, return the standardquadratic twist of C over the unique extension of k of degree 2. If the characteristicof k is odd, then this is the same as the twist of C by a primitive element of k.

QuadraticTwists(C)

Given a hyperelliptic curve C defined over a finite field k of odd characteristic, returna sequence containing the non-isomorphic quadratic twists of C.

IsQuadraticTwist(C, D)

Verbose CrvHypIso Maximum : 3Given hyperelliptic curves C and D over a common field k having characteristic notequal to two, return true if and only if C is a quadratic twist of D over k. If so,the twisting factor is returned as the second value.

Example H107E3

We construct the quadratic twists of the hyperelliptic curve y2 = x6 + x2 + 1 defined over F7.



> QuadraticTwists(C);

[

Hyperelliptic Curve defined by y^2 = x^6 + x^2 + 1 over GF(7),

Hyperelliptic Curve defined by y^2 = 3*x^6 + 3*x^2 + 3 over GF(7)

]

> IsIsomorphic($1[1],$1[2]);

false


Example H107E4

We take a hyperelliptic curve over the rationals and form a quadratic twist of it.


> C := HyperellipticCurve(x^6+x);

> C7 := QuadraticTwist(C, 7);

> C7;

Hyperelliptic Curve defined by y^2 = 7*x^6 + 7*x over Rational Field

We now use the function IsIsomorphic to verify that C and C7 are nonisomorphic. We then extendthe field of definition of both curves to Q(

√7) and verify that the curves become isomorphic over

this extension.

> IsIsomorphic(C, C7);

false

> K<w> := ext< Rationals() | x^2-7 >;

> CK := BaseChange(C, K);

> C7K := BaseChange(C7, K);

> IsIsomorphic(CK, C7K);

true (x : y : z) :-> (x : -1/7*w*y : z)

107.2.7 Type Change Predicates

IsEllipticCurve(C)

The function returns true if and only if C is a genus one hyperelliptic curve of odddegree, in which case it also returns an elliptic curve E isomorphic to C followed bythe isomorphism C → E and the inverse isomorphism E → C.

107.3 Operations on Curves


HyperellipticPolynomials(C)

The univariate polynomials f(x), h(x), in that order, defining the hyperelliptic curveC by y2 + h(x)y = f(x).

Degree(C)

The degree of the hyperelliptic curve C or a pointset C of a hyperelliptic curve.

Discriminant(C)

The discriminant of the hyperelliptic curve C.

Genus(C)

The genus of the hyperelliptic curve C.


107.3.2 Igusa InvariantsThe Clebsch, Igusa–Clebsch and Igusa invariants may be computed for curves of genus 2.

The Magma package implementing the functions was written by Everett W. Howe([email protected]) with some advice from Michael Stoll and is based onsome gp routines written by Fernando Rodriguez–Villegas as part of the ComputationalNumber Theory project funded by a TARP grant. The gp routines may be found athttp://www.ma.utexas.edu/users/villegas/cnt/inv.gp.

Rodriguez–Villegas’s routines are based on a paper of Mestre [Mes91]. The first partof Mestre’s paper summarizes work of Clebsch and Igusa, and is based on the classicaltheory of invariants. This package contains functions to compute three types of invariantsof quintic and sextic polynomials f (or, perhaps more accurately, of binary sextic forms):

• The Clebsch invariants A, B, C, D of f , as defined on p. 317 of Mestre;

• The Igusa–Clebsch invariants A′, B′, C ′, D′ of f , as defined on p. 319 of Mestre; and

• The Igusa invariants (or Igusa J-invariants, or J-invariants) J2, J4, J6, J8, J10 of f , asdefined on p. 324 of Mestre.The corresponding functions are ClebschInvariants, IgusaClebschInvariants, and

JInvariants, respectively. For convenience, we use IgusaInvariants as a synonym forJInvariants.

Igusa invariants may be defined for a curve of genus 2 over any field and for polynomialsof degree at most 6 over fields of characteristic not equal to 2. The Igusa invariants of thecurve y2 + hy = f are equal to the Igusa invariants of the polynomial h2 + 4 ∗ f exceptin characteristic 2, where the latter are not defined. In practice, the functions below willnot calculate the Igusa invariants of a polynomial unless 2 is a unit in the coefficient ring.However, Igusa invariants of curves are available for all coefficient rings. (But see below.)

Igusa invariants are given by a sequence [J2, J4, J6, J8, J10] of five elements of the coef-ficient ring of the polynomials defining the curve. This sequence should be thought of asliving in weighted projective space, with weights 2, 4, 6, 8, and 10.

It should be noted that many of the people who work with genus 2 curves over thecomplex numbers prefer not to work with the real Igusa invariants, but rather work withsome related numbers, [I2, I4, I6, I10] (or [A′, B′, C ′, D′] in Mestre’s terminology), that wecall the Igusa–Clebsch invariants, of the curve. Once again, these live in weighted projectivespace. The Igusa–Clebsch invariants of a polynomial are defined in terms of certain nicesymmetric polynomials in its roots, and, in characteristic zero, the J-invariants may beobtained from the I-invariants by some simple homogeneous transformations. In fact, manyof the genus-2-curves-over-the-complex-numbers people refer to the elements i1 := I5

2/I10,i2 := I3

2 ∗ I4/I10 and i3 := I22 ∗ I6/I10 as the “invariants” of the curve. The problem with

the Igusa–Clebsch invariants is that they do not work in characteristic 2 and it was forthis reason that Igusa defined his J-invariants.

The coefficient ring of the polynomial f must be an algebra over a field of characteristicnot equal to 2 or 3.

ClebschInvariants(C)


Given a hyperelliptic curve C having genus 2, compute the Clebsch invariants A,B, C and D as described on p. 317 of [Mes91]. The base field of C may not havecharacteristic 2, 3 or 5. The invariants are found using Uberschiebungen.

ClebschInvariants(f)

Given a polynomial f of degree at most 6, compute the Clebsch invariants A, B, Cand D as described on p. 317 of [Mes91]. The coefficient ring of the polynomial fmust be an algebra over a field of characteristic not equal to 2, 3 or 5. The invariantsare found using Uberschiebungen.

IgusaClebschInvariants(C: parameters)

Quick BoolElt Default : false

Given a curve C of genus 2 defined over a field, the Igusa–Clebsch invariants A′, B′,C ′ and D′ as described on p. 319 of [Mes91] are found. These will be all be zero incharacteristic 2. If Quick is true, the base field of C may not have characteristic 2,3 or 5 and a faster method using Uberschiebungen is employed; otherwise, universalformulae are used.

IgusaClebschInvariants(f, h)

Given a polynomial h having degree at most 3 and a polynomial f having degree atmost 6, the Igusa–Clebsch invariants A′, B′, C ′ and D′ of the curve y2 +hy− f = 0are found. These will be all be zero in characteristic 2.

IgusaClebschInvariants(f: parameters)


Given a polynomial f having degree at most 6 and defined over a ring in which 2 is aunit, the Igusa–Clebsch invariants A′, B′, C ′ and D′ of the polynomial f are found.These will be all be zero in characteristic 2. If Quick is true, the coefficient ring off may not have characteristic 2, 3 or 5 and a faster method using Uberschiebungenis employed; otherwise, universal formulae are used.

IgusaInvariants(C: parameters)

JInvariants(C: parameters)


Given a curve C of genus 2 defined over a field, the function returns the Igusainvariants (or J-invariants) J2, J4, J6, J8, J10 as described on p. 324 of [Mes91]. IfQuick is true, the base field of C may not have characteristic 2, 3 or 5 and a fastermethod using Uberschiebungen is employed; otherwise, universal formulae are used.


IgusaInvariants(f, h)

JInvariants(f, h)

Given a polynomial h having degree at most 3 and a polynomial f having degree atmost 6, this function returns the Igusa invariants (or J-invariants) J2, J4, J6, J8, J10

of the curve y2 + hy = f . The coefficient ring R of the polynomials h and f musteither (a) have characteristic 2, or (b) be a ring in which Magma can apply theoperator ExactQuotient(n,2). For example, R may be an arbitrary field, the ringof rational integers, a polynomial ring over a field or over the integers and so forth.However, R may not be a p-adic ring, for instance. If the desired coefficient ringdoes not meet either condition (a) or condition (b), then ScaledIgusaInvariantsshould be used and its invariants then scaled by the appropriate powers of 1

2 .

IgusaInvariants(f: parameters)

JInvariants(f: parameters)


Given a polynomial f having degree at most 6 which is defined over a ring in which2 is a unit, return the Igusa invariants (or J-invariants) J2, J4, J6, J8, J10 of f . IfQuick is true, the coefficient ring of f may not have characteristic 2, 3 or 5 anda faster method using Uberschiebungen is employed; otherwise, universal formulaeare used.

ScaledIgusaInvariants(f, h)

Given a polynomial h having degree at most 3 and a polynomial f having de-gree at most 6, return the Igusa J-invariants of the curve y2 + hy = f , scaled by[16, 162, 163, 164, 165].

ScaledIgusaInvariants(f)

Given a polynomial f having degree at most 6 which is defined over a ring not ofcharacteristic 2, return the Igusa J-invariants of f , scaled by [16, 162, 163, 164, 165].

AbsoluteInvariants(C)

Given a curve C of genus 2 defined over a field, the function computes the tenabsolute invariants of C as described on p. 325 of [Mes91].

ClebschToIgusaClebsch(Q)

Convert Clebsch invariants in the sequence Q to Igusa–Clebsch invariants.

IgusaClebschToIgusa(S)

Convert Igusa–Clebsch invariants in the sequence S to Clebsch invariants.


107.3.3 Base Ring

BaseField(C)

BaseRing(C)

CoefficientRing(C)

The base field of the hyperelliptic curve C.

107.4 Creation from InvariantsThe problem is to construct a curve of genus 2 from a given set of Igusa–Clebsch invariantsdefined over the same field as the field of moduli (simply the smallest field in which theinvariants lie). Mestre [Mes91] shows that this is not always possible, even in theory. Butover a finite field or the rationals he gives a method for deciding whether it is possible and ifit is, for finding such a curve. Mestre’s algorithm was implemented by P. Gaudry. Mestre’salgorithm does not work when the curve has a split Jacobian. Cardona and Quer [CQ02]showed that in this case one can always find a curve defined over the field of moduli andgave equations for such a curve. This works over any field of characteristic not 2, 3 or 5.

Over a field of characteristic zero, the equation of the curve returned by these methodscan involve huge coefficients. For curves over the rationals, this curve can be processed bythe algorithm of P. Wamelen [Wam99] and [Wam01]. While, in practice, this algorithmoften produces a curve with much smaller coefficients, for certain curves the algorithm maynot significantly reduce their size.

HyperellipticCurveFromIgusaClebsch(S)


Try to build a curve of genus 2 with the Igusa-Clebsch invariants given in thesequence S (see Subsection 107.3.2) by Mestre’s algorithm (and Cardona’s in caseof non-hyperelliptic involutions) defined over the field in which the invariants lie.Currently this field must be the rationals or a finite field of characteristic biggerthan 5. In case such a curve does not exist a curve defined over some quadraticextension is returned.

When the base field is the rationals, the parameter Reduce invokes Wamelen’sreduction algorithm, and is equivalent to a call to ReducedModel with the algorithmspecified as "Wamelen".

Example H107E5

A typical run would look like:

> SetVerbose("Igusa",1);

> IgCl := [ Rationals() |

> -549600, 8357701824, -1392544870972992, -3126674637319431000064 ];

> time C := HyperellipticCurveFromIgusaClebsch(IgCl);

Found conic point:

(-64822283782462146583672682837123736006679080996161747198790\


94839597076141357421875/1363791104410093031413327266775768846\

086857295667582286386963073756856153402049457884003686477312,\

10188009335968531191794821132584413878133549529657888880045011\

3779781952464580535888671875/107297694738676628355433722672369\

86876862256732919126043768293539723478848063808819839532581156\

5610468983296)

Time: 0.990

> time C := ReducedModel(C : Al := "Wamelen");

Time: 161.680

> HyperellipticPolynomials(C);

-23*x^6 + 52*x^5 - 55*x^4 + 40*x^3 - 161*x^2 + 92*x - 409

0

107.5 Function Field

107.5.1 Function Field and Polynomial Ring

FunctionField(C)

The function field of the hyperelliptic curve C.

DefiningPolynomial(C)

A weighted homogeneous polynomial for the hyperelliptic curve C.

EvaluatePolynomial(C, a, b, c)

EvaluatePolynomial(C, [a, b, c])

Evaluates the homogeneous defining polynomial of the hyperelliptic curve C at thepoint (a, b, c).


107.6 Points

The hyperelliptic curve is embedded in a weighted projective space, with weights 1, g + 1,and 1, respectively on x, y and z. Therefore point triples satisfy the equivalence relation(x : y : z) = (µx : µg+1y : µz), and the points at infinity are then normalized to take theform (1 : y : 0).

107.6.1 Creation of Points

C ! [x, y]

C ! [x, y, z]

elt< PS | x, y >

elt< PS | x, y, z >

Returns the point on a hyperelliptic curve C specified by the coordinates (x, y, z).The elt constructor takes the pointset of a hyperelliptic curve as an argument. Ifz is not specified it is assumed to be 1.

C ! P

Given a point P on a hyperelliptic curve C1, such that C is a base extension of C1,this returns the corresponding point on the hyperelliptic curve C. The curve C canbe, e.g., the reduction of C1 to finite characteristic (i.e. base extension to a finitefield) or the tautological coercion to itself.

Points(C, x)

RationalPoints(C, x)

The indexed set of all rational points on the hyperelliptic curve C that have thevalue x as their x-coordinate. Note that points at infinity are considered to have ∞as their x-coordinate.

PointsAtInfinity(C)

The points at infinity for the hyperelliptic curve C returned as an indexed set ofpoints.

IsPoint(C, S)

The function returns true if and only if the sequence S specifies a point on thehyperelliptic curve C, and if so, returns this point as the second value.


Example H107E6

We look at the point at infinity on y2 = x5 + 1.


> C := HyperellipticCurve(x^5+1);

> PointsAtInfinity(C);

@ (1 : 0 : 0) @

There is only one, and to see that this really is a point on C it must be remembered that inMagma, all hyperelliptic curves are considered to live in weighted projective spaces:

> Ambient(C);

Projective Space of dimension 2

Variables : $.1, $.2, $.3

Gradings :

1 3 1

In fact, the point is nonsingular on C, as we now check. (It’s worth remembering that all thefunctionality for curves, for instance IsNonSingular, applies to hyperelliptic curves as a specialcase.)

> pointAtInfinity := C![1,0,0]; // Entering the point by hand.

> IsNonSingular(pointAtInfinity);

true

107.6.2 Random Points

Random(C)

Given a hyperelliptic curve C defined over a finite field, this returns a point chosenat random on the curve. If the set of all points on C has already been computed,this gives a truly random point, otherwise the ramification points have a slightadvantage.


P eq Q

Returns true if and only if the two points P and Q on the same hyperelliptic curvehave the same coordinates.

P ne Q

Returns false if and only if the two points P and Q on the same hyperelliptic curvehave the same coordinates.



P[i]

The i-th coordinate of the point P , for 1 ≤ i ≤ 3.

Eltseq(P)


Given a point P on a hyperelliptic curve, this returns a 3-element sequence consistingof the coordinates of the point P .

107.6.5 Arithmetic of Points

-P

Involution(P)

Given a point P on a hyperelliptic curve, this returns the image of P under thehyperelliptic involution.

107.6.6 Enumeration and Counting Points

NumberOfPointsAtInfinity(C)

The number of points at infinity on the hyperelliptic curve C.

PointsAtInfinity(C)

The points at infinity for the hyperelliptic curve C returned as an indexed set ofpoints.

#C

Given a hyperelliptic curve C defined over a finite field, this returns the number ofrational points on C.

If the base field is small or there is no other good alternative, a naive point count-ing technique is used. However, if they are applicable, the faster p-adic methodsdescribed in the #J section are employed (which actually yield the full zeta functionof C). As for #J, the verbose flag JacHypCnt can be used to output informationabout the computation.


Points(C)

RationalPoints(C)


NPrimes RngIntElt Default : 30DenominatorBound RngIntElt Default : Bound

For a hyperelliptic curve C defined over a finite field, the function returns an indexedset of all rational points on C. For a curve C over Q of the form y2 = f(x) withintegral coefficients, it returns the set of points such that the naive height of thex-coordinate is less than Bound.

For a curve C over a number field, looks for points using a sieve method, describedin Appendix A of [Bru02]. The parameter NPrimes controls the number of primeswhich are used and DenominatorBound the size of the denominators used.

PointsKnown(C)

Returns true if and only if the points of the hyperelliptic curve C have been com-puted. This can especially be helpful when the curve is likely to have many pointsand when one does not wish to trigger the possibly expensive point computation.

ZetaFunction(C)

Given a hyperelliptic curve C defined over a finite field, this function computes thezeta function of C. The zeta function is returned as an element of the function fieldin one variable over the integers.

If the base field is small or there is no other good alternative, the method usedis a naive point count on the curve over extensions of degree 1, ..., g of the basefield. However, if they are applicable, the faster p-adic methods described in the #Jsection are employed. As for #J, the verbose flag JacHypCnt can be used to outputinformation about the computation.

ZetaFunction(C, K)

Given a hyperelliptic curve C defined over the rationals, this function computesthe zeta function of the base extension of C to K. The curve C must have goodreduction at the characteristic of K.

Example H107E7

For the following classical curve of Diophantus’ Arithmetica, it is proved by Joseph Wetherell[Wet97] that Diophantus found all positive rational points. The following Magma code enumeratesthe points on this curve.



> Points(C : Bound := 1);

@ (1 : -1 : 0), (1 : 1 : 0), (0 : -1 : 1), (0 : 1 : 1) @


@ (1 : -1 : 0), (1 : 1 : 0), (0 : -1 : 1), (0 : 1 : 1), (-1 : -9 : 2),


(-1 : 9 : 2), (1 : -9 : 2), (1 : 9 : 2) @


@ (1 : -1 : 0), (1 : 1 : 0), (0 : -1 : 1), (0 : 1 : 1), (-1 : -9 : 2),

(-1 : 9 : 2), (1 : -9 : 2), (1 : 9 : 2) @

107.6.7 Frobenius

Frobenius(P, F)


Applies the Frobenius x− > x(#F ) to P . If Check is true, it verifies that the curveof which P is a point is defined over the finite field F .

107.7 Isomorphisms and Transformations

A hyperelliptic curve isomorphism is defined by a linear fractional transformation t(x :z) = (ax + bz : cx + dz), a scale factor e, and a polynomial u(x) of degree at most g + 1,where g is the genus of the curve. This data defines the isomorphism of weighted projectivepoints

(x : y : z) 7→ (ax + bz : ey + u(x, z) : cx + dz),

where u is the degree g + 1 homogenization of u. When not specified, the values of e andu are by default taken to be 1 and 0, respectively.

An isomorphism can be created from the parent structures by coercing a tuple〈[a, b, c, d], e, u〉 into the structure of isomorphisms between two hyperelliptic curves, orby creating it as a transformation of a given curve, i.e. creating the codomain curvetogether with the isomorphism from the given data.

Note that due to the projective weighting of the ambient space of the curve, two equalisomorphisms may have different representations.

107.7.1 Creation of Isomorphisms

Aut(C)

Given a hyperelliptic curve C, this returns the structure of all automorphisms ofthe curve.

Iso(C1, C2)

Given hyperelliptic curves C1 and C2 of the same genus and base field, this returnsthe structure of all isomorphisms between them.


Transformation(C, t)

Transformation(C, u)

Transformation(C, e)

Transformation(C, e, u)

Transformation(C, t, e, u)

Returns the hyperelliptic curve C ′ which is the codomain of the isomorphism fromthe hyperelliptic curve C specified by the sequence of ring elements t, the ringelement e and the polynomial u, followed by the the isomorphism to the curve.

Example H107E8

We create the hyperelliptic curve y2 = x5 − 7 and apply a transformation to it.


> H1 := HyperellipticCurve(x^5-7);

> H2, phi := Transformation(H1, [0,1,1,0], 1/2, x^2+1);

> H2;

Hyperelliptic Curve defined by y^2 + (-2*x^2 - 2)*y = -7/4*x^6 - x^4 - 2*x^2 +

1/4*x - 1 over Rational Field

> phi;

(x : y : z) :-> (z : 1/2*y + x^2*z + z^3 : x)

> IsIsomorphic(H1, H2);

true (x : y : z) :-> (z : 1/2*y + x^3 + x*z^2 : x)

107.7.2 Arithmetic with IsomorphismsHyperelliptic curve isomorphisms can be evaluated, inverted, and composed on points asright operators. Note that the functional notation f(P ) is not presently available for thesemaps of curves. However the available map syntax @ is more consistent with functionsas operating on the right (which determines and is apparent from the way composition isdefined).

f * g

The composition of the maps f and g as right operators.

Inverse(f)

The inverse of the hyperelliptic curve isomorphism f .

f in M

Given an isomorphism of hyperelliptic curves f , and the structure of isomorphismsM between two hyperelliptic curves, this returns true if and only if they share thesame domains and codomains.


P @ f

Evaluate(f,P)

Returns the evaluation of f at a point P in its domain. The same functions applyequally to points in the Jacobian of the domain curve.

P @@ f

Pullback(f,P)

Returns the inverse image of the isomorphism f at a point P in its codomain. Thesame functions apply equally to points in the Jacobian of the codomain curve.

f eq g

Given isomorphisms f and g of hyperelliptic curves having the same domain andcodomain, this function returns true if and only if they are equal. Note that twoisomorphisms may be equal even if their defining data are distinct (see examplebelow).

107.7.3 Invariants of Isomorphisms

Parent(f)

The “parent structure” of an isomorphism between two hyperelliptic curves (whichcontains all isomorphisms with the same domain and codomain as the given isomor-phism).

Domain(f)

The curve which is the domain of the given isomorphism.

Codomain(f)

The curve which is the target of the given isomorphism.

107.7.4 Automorphism Group and Isomorphism TestingThis section details the features for computing isomorphisms between two curves anddetermining the group of automorphisms. The function IsGL2Equivalent plays a centralrole in the isomorphism testing, and is documented here due to its central role in thesecomputations.

IsGL2Equivalent(f, g, n)

This function returns true if and only if f and g are in the same GL2(k)-orbit,where k is the coefficient field of their parent, modulo scalars. The polynomials areconsidered as homogeneous polynomials of degree n, where n must be at least 4.The second return value is the sequence of all matrix entries [a, b, c, d] such that g(x)is a constant times f ((ax + b)/(cx + d)) (cx + d)n.


IsIsomorphic(C1, C2)

Verbose CrvHypIso Maximum : 3This function returns true if and only if the hyperelliptic curves C1 and C2 are iso-morphic over their common base field. If the curves are isomorphic, an isomorphismis returned.

AutomorphismGroup(C)

Given a hyperelliptic curve C of characteristic different from 2, the function returnsa permutation group followed by an isomorphism to the group of automorphismsof the curve over its base ring. The curve must be of genus at least one, and theautomorphism group is defined to consist of those automorphisms which commutewith the hyperelliptic involution, i.e. which induce a well-defined automorphism ofits quotient projective line. A third return value gives the action C ×G → C.

Example H107E9

We give an example of the computation of the automorphism group of a genus one hyperellipticcurve.


> C1 := HyperellipticCurve(x^3+x);

> G1, m1 := AutomorphismGroup(C1);

> #G1;

> [ m1(g) : g in G1 ];

[

(x : y : z) :-> (x : y : z),

(x : y : z) :-> (x : -y : z),

(x : y : z) :-> (z : y : x),

(x : y : z) :-> (z : -y : x)

]

We note that due to the weighted projective space, the same map may have a non-unique repre-sentation, however the equality function is able to identify equivalence on representations.

> f := m1(G1.3);

> f;

(x : y : z) :-> (z : y : x)

> g := Inverse(f);

> g;

(x : y : z) :-> (2*z : y : 2*x)

> f eq g;

true

We see that the geometric automorphism group is much larger. By base extending the curve to aquadratic extension, we find the remaining automorphisms of the curve.

> K<t> := GF(3,2);

> C2 := BaseExtend(C1, K);

> G2, m2 := AutomorphismGroup(C2);


> #G2;

48

> O := C2![1,0,0];

> auts := [ m2(g) : g in G2 ];

> [ f : f in auts | O@f eq O ];

[

(x : y : z) :-> (x : y : z),

(x : y : z) :-> (x : -y : z),

(x : y : z) :-> (x : t^2*y : 2*z),

(x : y : z) :-> (x + t^6*z : t^2*y : 2*z),

(x : y : z) :-> (x + t^6*z : y : z),

(x : y : z) :-> (x + t^2*z : y : z),

(x : y : z) :-> (x + t^2*z : t^2*y : 2*z),

(x : y : z) :-> (x : t^6*y : 2*z),

(x : y : z) :-> (x + t^6*z : t^6*y : 2*z),

(x : y : z) :-> (x + t^6*z : -y : z),

(x : y : z) :-> (x + t^2*z : -y : z),

(x : y : z) :-> (x + t^2*z : t^6*y : 2*z)

]

> #$1;

12

Note that this curve is an example of a supersingular elliptic curve in characteristic 3. In the finalcomputation we restrict to the automorphisms as an elliptic curve, i.e. those which fix the pointat infinity — the identity element of the group law.In the context of hyperelliptic curves of genus one, the group of automorphisms must stabilize theramification points of the hyperelliptic involution. These are precisely the 2-torsion elements asan elliptic curve. So we have an group extension by the 2-torsion elements, acting by translation.Converting to an elliptic curve, we find that there are two 2-torsion elements over F3:

> E1 := EllipticCurve(C1);

> A1 := AbelianGroup(E1);

> A1;



Relations:

4*$.1 = 0

We see that two of the 2-torsion elements are defined over F3, and the remaining ones appearover the quadratic extension. So in the former case the automorphism group is an extension ofthe elliptic curve automorphism group (of order 2) by Z/2Z, and in latter case the automorphismgroup is an extension (of the group of order 12) by the abelian group isomorphic to Z/2Z×Z/2Z.Note that there exist other curve automorphisms given by translations by other torsion points (un-der the addition as an elliptic curve), but that do not commute with the hyperelliptic involution,hence do not enter into the hyperelliptic automorphism group.


GeometricAutomorphismGroup(C)

Given a hyperelliptic curve C of genus 2 and characteristic different from 2 and 3the function returns a group isomorphic to the geometric automorphism group, i.e.the automorphism group of the curve over an algebraic closure of its base ring. Theautomorphism group is defined to consist of those automorphisms which commutewith the hyperelliptic involution, i.e. which induce a well-defined automorphismof its quotient projective line. A second return value gives the index of the groupin the database of small groups (see Chapter 57). The method used is to com-pute the Igusa-Clebsch invariants of the curve and then use Shaska and Volklein’sclassification of the possible automorphism groups in terms of the invariants, see[SV01].

Example H107E10

We give an example of the computation of the geometric automorphism group of a genus twohyperelliptic curve.


> f := x^6+x^3+13;

> C := HyperellipticCurve(f);

> time GeometricAutomorphismGroup(C);

Permutation group acting on a set of cardinality 6

Order = 12 = 2^2 * 3

(1, 2, 3, 4, 5, 6)

(1, 6)(2, 5)(3, 4)

<12, 4>

Time: 0.060

Note that AutomorphismGroup can be used to retrieve the same (and more!) information but thiscan be much slower.

> aut := AutomorphismGroup(C);

> aut;

Symmetric group aut acting on a set of cardinality 2

Order = 2

(1, 2)

Id(aut)

We need to extend the field!

> Qbar := AlgebraicClosure();

> Cbar := BaseChange(C, Qbar);

> time autbar := AutomorphismGroup(Cbar);

Time: 332.290

> autbar;

Permutation group autbar acting on a set of cardinality 12

Order = 12 = 2^2 * 3

(1, 2)(3, 4)(5, 6)(7, 8)(9, 10)(11, 12)

Id(autbar)


(1, 3)(2, 4)(5, 7)(6, 8)(9, 11)(10, 12)

(1, 5, 9)(2, 6, 10)(3, 11, 7)(4, 12, 8)

(1, 7)(2, 8)(3, 9)(4, 10)(5, 11)(6, 12)

(1, 9, 5)(2, 10, 6)(3, 7, 11)(4, 8, 12)

(1, 11)(2, 12)(3, 5)(4, 6)(7, 9)(8, 10)

> IdentifyGroup(autbar);

<12, 4>

107.8 Jacobians

The Jacobian of a hyperelliptic curve is implemented as the divisor class group of the curve.In particular, no equations giving the Jacobian as a variety ever appear. The Jacobianof any hyperelliptic curve can be created, but most of the interesting functionality is overfinite fields, or for genus 2 over number fields or Q.

107.8.1 Creation of a Jacobian

Jacobian(C)

The Jacobian of the hyperelliptic curve C.


Curve(J)

The hyperelliptic curve from which the Jacobian J was constructed.

Dimension(J)

The dimension of the Jacobian J as an algebraic variety, equal to the genus of thecurve C of which J is the Jacobian.

107.8.3 Base Ring

BaseField(J)

BaseRing(J)

CoefficientRing(J)

The base field of the Jacobian J .



BaseChange(J, F)

BaseExtend(J, F)

The base extension of the Jacobian J to the field F .

BaseChange(J, j)

BaseExtend(J, j)

The base extension of the Jacobian J obtained by the map j, where j is a ringhomomorphism with the base field of C as its domain.

BaseChange(J, n)

BaseExtend(J, n)

The base extension of the Jacobian J over a finite field to its degree n extension.

107.9 Points on the JacobianPoints on Jac(C) are represented as divisors on C. They can be specified simply by givingpoints on C, or divisors on C, or in the Mumford representation, which is the way Magmareturns them (and which it uses to store and manipulate them). Points can be added andsubtracted.

Representation of points on Jac(C): Let C be a hyperelliptic curve of genus g. A triple〈a(x), b(x), d〉 specifies the divisor D of degree d on C defined by

A(x, z) = 0, y = B(x, z)

where A(x, z) is the degree d homogenisation of a(x), and B(x, z) is the degree (g + 1)homogenisation of b(x). Note that the equation y = B(x, z) make sense projectivelybecause y has weight g + 1 (as always for hyperelliptic curves in Magma).

The point on Jac(C) corresponding to 〈a(x), b(x), d〉 is then D minus a multiple of thedivisor at infinity on C. So, when there is a single point P∞ at infinity, we have D− dP∞.Otherwise, there is a Q-rational divisor P+∞+P−∞ consisting of the two points at infinity;in this case d is required to be even and we have D − (d/2)(P+∞ + P−∞).

All points on Jac(C) can be expressed in this way, except when g is odd and there areno rational points at infinity (in which case the extra points can not be created in Magma,and arithmetic on points is not implemented). There is a uniquely determined “reduced”triple representing each point, which Magma uses to represent any point it encounters.

See the examples in the following section (“Creation of Points”).

Technical details: In order to make sense, a triple 〈a(x), b(x), d〉 is required to satisfy:

(a)a(x) is monic of degree at most g;(b)b(x) has degree at most g + 1, and a(x) divides b(x)2 + h(x)b(x) − f(x), where h(x)

and f(x) are the defining polynomials of C;


(c) d is a positive integer with deg(a(x)) ≤ d ≤ g + 1, such that the degree of b(x)2 +h(x)b(x)− f(x) is less than or equal to 2g + 2− d + deg(a(x)).

For uniqueness of representation, in the case of one point at infinity, (the odd degree case,in particular), we require that d = deg(a(x)).

A triple 〈a(x), b(x), d〉 is reduced to a canonical representative as follows:

(a) If d = deg(a(x)), we reduce b mod a, so deg(b(x)) < deg(a(x)).(b)If a = 1, we assume that deg(B(1, z)) = d.(c) A unique representative for b(x) is found such that the coefficient of xk in b is zero for

deg(a(x)) ≤ k ≤ deg(a(x)) + g + 1− d.

For certain models of C, not all rational points can be represented in the above form (withthe restrictions on d) or the representation is not unique. The bad cases are g odd and (i)0 or (ii) 2 rational points at infinity.

In case (i) we would have to allow divisors with deg(a(x)) = g + 1, which give linearpencils of equivalent divisors, and in case (ii) a Jacobian point with d = g +1 has preciselytwo canonical representatives.

In case (i), there is no obvious canonical representative for these additional Jacobianpoints and currently Magma does not deal with them. Consequently, arithmetic is notimplemented in this case.

However, in case (ii), the two representatives correspond to the two distinguished ele-ments of a linear pencil of divisors which include contributions from one or the other pointat infinity. By arbitrarily selecting one of these two infinite points as the default, a uniquerepresentative can be chosen. This is now performed internally by Magma, the defaultpoint being chosen at the time of creation of the Jacobian. Arithmetic is also implemented.Note that in this case, extra work is generally required in point addition to keep track ofpoints at infinity and final reduction to the unique representation. If very fast addition iscrucial when C is of this type, it is generally wise to use an isomorphic model with exactlyone point at infinity, if possible, by moving a rational Weierstrass point to infinity.


J ! 0

Id(J)

Identity(J)

The identity element on the Jacobian J .

J ! [a, b]

elt< J | a, b >

elt< J | [a, b] >

elt< J | a, b, d >

elt< J | [a, b], d >


The point on the Jacobian J defined by the polynomials a and b and the positiveinteger d; if not specified then d is taken to be deg(a).

P - Q

J ! [P, Q]

elt< J | P, Q >

For points P and Q on a hyperelliptic curve, this constructs the image of the divisorclass [P −Q] as a point on its Jacobian J .

J ! [S, T]

elt< J | S, T >

Given two sequences S = [Pi] and T = [Qi] of points on the hyperelliptic curve withJacobian J , each of length n, this returns the image of the divisor class

∑i[Pi] −∑

i[Qi] as a point on the Jacobian J .

JacobianPoint(J, D)

The point on the Jacobian J (of a hyperelliptic curve C) associated to the divisor Don C. If D does not have degree 0, then a suitable multiple of the divisor at infinityis subtracted. When the divisor at infinity on C has even degree, D is required tohave even degree.

The function works for any divisor such that the corresponding point is definablein Magma. It is not implemented for characteristic 2.

J ! P

Given a point P on a Jacobian J ′, construct the image of P on J , where J is a baseextension of J ′.

Points(J, a, d)

RationalPoints(J, a, d)

Find all points on the Jacobian J with first component a and degree d. Onlyimplemented for genus 2 curves of the form y2 = f(x).

Example H107E11

Points on y2 = x6 − 3x− 1 and their images on the Jacobian.


> C := HyperellipticCurve(x^6-3*x-1);

> C;

Hyperelliptic Curve defined by y^2 = x^6 - 3*x - 1 over Rational Field

> J := Jacobian(C);

> J; // Magma didn’t do much work to create J

Jacobian of Hyperelliptic Curve defined by y^2 = x^6 - 3*x - 1 over Rational Field

Find some points on C and map them to J (using the first point to define the map C → J):

> ptsC := Points(C : Bound := 100);


> ptsC;

@ (1 : -1 : 0), (1 : 1 : 0), (-1 : -1 : 3), (-1 : 1 : 3) @

> ptsJ := [ ptsC[i] - ptsC[1] : i in [2,3,4] ];

> ptsJ;

[ (1, x^3, 2), (x + 1/3, x^3, 2), (x + 1/3, x^3 + 2/27, 2) ]

We recreate the first of these, giving it in Magma’s notation (which is read as “the divisor ofdegree 2 on C determined by z2 = y − x3 = 0”).

> pt1 := elt< J | [1,x^3], 2 >;

> pt1 eq ptsJ[1];

true

The degree of the divisor must be specified here, otherwise it is assumed to be deg(a(x)) = 0:

> pt1 := J! [1,x^3];

> pt1; pt1 eq J!0;

(1, 0, 0)

true

Example H107E12

We define the nontrivial 2-torsion point on the Jacobian of C : y2 = (x2 + 1)(x6 + 7).The divisor (y = 0, x2 + 1 = 0) should define the only nontrivial 2-torsion point in J(Q).


> C := HyperellipticCurve( (x^2+1)*(x^6+7) );

> J := Jacobian(C);

Define the point corresponding to the divisor given by x2 + 1 = 0, y = 0 on C. We can use thesimpler syntax, not specifying that the degree of the divisor is 2, because this equals the degreeof a(x) = x2 + 1.

> Ptors := J![x^2+1, 0];

> Ptors;

(x^2 + 1, 0, 2)

The alternative syntax would be as follows.

> Ptors1 := elt< J | [x^2+1, 0], 2 >;

> Ptors eq Ptors1; // Are they the same?

true

Check that Ptors has order 2:

> 2*Ptors;

(1, 0, 0)

> $1 eq J!0; // Is the previous result really the trivial point on J?

true

> Order(Ptors); // Just to be absolutely sure ...

2

The other factor x6 + 7 will give the same point on J :

> Ptors2 := J![x^6+7,0];


(x^2 + 1, 0, 2)

Note that Magma returned the unique reduced triple representing this point, which means we caneasily check whether or not it is the same point as Ptors.For alternative ways to obtain 2-torsion points, see the section on torsion.

Example H107E13

A Jacobian with a point not coming from the curve.Any curve containing the point (

√2,√

2) has a Q-rational divisor

D := (√

2,√

2) + (−√

2,−√

2).

This will give a nontrivial point in J(Q). For instance, take y2 = x6 − 6.


> C := HyperellipticCurve(x^6-6);

> J := Jacobian(C);

The divisor D has degree 2 and is given by x2 − 2 = y − x = 0.

> pt := J![x^2-2, x];

> pt; // What is pt?

(x^2 - 2, x, 2)

> Parent(pt); // Where does pt live?

Jacobian of Hyperelliptic Curve defined by y^2 = x^6 - 6 over Rational Field

> pt eq J!0; // Is pt equal to 0 on J?

false

> Order(pt);

0

This means that P has infinite order in J(Q).Alternatively we can construct the same point by first constructing the divisor, giving it as anideal in the homogeneous coordinate ring in which C lives. (Note that Y has weight 3).

> P<X,Y,Z> := CoordinateRing(Ambient(C));

> D := Divisor(C, ideal );

> pt1 := J!D;

> pt eq pt1;

true

107.9.2 Random Points

Random(J)

A random point on a Jacobian J of a hyperelliptic curve defined over a finite field.


107.9.3 Booleans and Predicates for PointsFor each of the following functions, P and Q are points on the Jacobian of a hyperellipticcurve.

P eq Q

Returns true if and only if the points P and Q on the same Jacobian are equal.

P ne Q

Returns false if and only if the two points P and Q on the same Jacobian areequal.

IsZero(P)

IsIdentity(P)

Returns true if and only if P is the zero element of the Jacobian.


P[i]

Given an integer 1 ≤ i ≤ 2, this returns the i-th defining polynomial for the Jacobianpoint P . For i = 3, this returns the degree d of the associated reduced divisor.

Eltseq(P)


Given a point P on the Jacobian J of a hyperelliptic curve, the function returnsfirstly, a sequence containing the two defining polynomials for the divisor associatedto P and secondly, the degree of the divisor.

107.9.5 Arithmetic of PointsFor each of the following functions, P and Q are points on the Jacobian of a hyperellipticcurve.

-P

The additive inverse of the point P on the Jacobian.

P + Q

The sum of the points P and Q on the same Jacobian.

P +:= Q

Given two points P and Q on the same Jacobian, set P equal to their sum.

P - Q

The difference of the points P and Q on the same Jacobian.


P -:= Q

Given two points P and Q on the same Jacobian, set P equal to the difference P−Q.

n * P

P * n

The n-th multiple of P in the group of rational points on the Jacobian.

P *:= n

Set P equal to the n-th multiple of itself.

107.9.6 Order of Points on the Jacobian

Order(P)

Returns the order of the point P on the Jacobian J of a hyperelliptic curve definedover a finite field or the rationals, or 0 if P has infinite order. This first computes#J when J is defined over a finite field.

Order(P, l, u)

Alg MonStg Default : "Shanks"

UseInversion BoolElt Default : true

Returns the order of the point P where u and l are bounds for the order of P or forthe order of J the parent of P . This does not compute #J .

If the parameter Alg is set to "Shanks" then the generic Shanks algorithm isused, otherwise, when Alg is "PollardRho", a Pollard-Rho variant is used (see[GH00]).

If UseInversion is true the search space is halved by using point negation.

Order(P, l, u, n, m)

Alg MonStg Default : "Shanks"

UseInversion BoolElt Default : true

Returns the order of the point P where u and l are bounds for the order of P or forthe order of J the parent of P and where n and m are such that the group order isn mod m. This does not compute #J .

The two parameters Alg and UseInversion have the same use as in the previousfunction.

HasOrder(P, n)

Given a point P on the Jacobian J of a hyperelliptic curve and a positive integer n,this returns true if the order of the point is n.


107.9.7 Frobenius

Frobenius(P, k)


Given a point P that lies on the Jacobian J of a hyperelliptic curve that is definedover the finite field k = Fq, determine the image of P under the Frobenius mapx → xq. If Check is true, Magma verifies that the Jacobian of P is defined over k.

107.9.8 Weil Pairing

WeilPairing(P, Q, m)

Computes the Weil pairing of P and Q, where P and Q are m-torsion points on the2-dimensional Jacobian J defined over a finite field.

Example H107E14

The following illustrates the use of the Weil Pairing in the MOV-reduction of the discrete logarithmproblem on a Jacobian.

> PP<x>:=PolynomialRing(GF(2));

> h := PP!1;

> f := x^5 + x^4 + x^3 + 1;

> J := Jacobian(HyperellipticCurve(f,h)); // a supersingular curve

> Jext := BaseExtend(J, 41);

> Factorization(#Jext);

[ <7, 1>, <3887047, 1>, <177722253954175633, 1> ]

> m := 177722253954175633; // some big subgroup order

> cofact := 3887047*7;

> P := cofact*Random(Jext);

> Q := 876213876263897634*P; // Q in 

Say we want to recompute the logarithm of Q in base P .

> Jext2 := BaseExtend(Jext, 6); // go to an ext of deg 6

> NJ := #Jext2;

>

> R := Random(Jext2);

> R *:= NJ div m^Valuation(NJ, m);

>

> eP := WeilPairing(Jext2!P, R, m);

> eQ := WeilPairing(Jext2!Q, R, m);

> assert eP^876213876263897634 eq eQ;

So the discrete log problem on the Jacobian has been reduced to a discrete log problem in a finitefield.


107.10 Rational Points and Group Structure over finite fields

107.10.1 Enumeration of Points

Points(J)

RationalPoints(J)

Given a Jacobian J of a hyperelliptic curve defined over a finite field, determine allrational points on the Jacobian J .

107.10.2 Counting Points on the JacobianSeveral algorithms are used to compute the order of a Jacobian depending of its size, itsgenus and its type. In particular, in genus 2 it includes all the techniques described in[GH00]. The best current algorithms are the ones based on p-adic liftings. These arethe defaults when they apply (see below) and the characteristic is not too large. In oddcharacteristic, Kedlaya’s algorithm is used as described in [Ked01]. For characteristic 2,we have Mestre’s canonical lift method as adapted by Lercier and Lubicz. Details canbe found in [LL]. We also now have an implementation of Vercauteren’s characteristic 2version of Kedlaya (described in [Ver02]). As an added bonus, the p-adic methods actuallygive the Euler factor (see below). A verbose flag can be set to see which strategy is chosenand the progress of the computation.

The latest p-adic methods, faster than Kedlaya in odd characteristic, are those ofAlan Lauder based on deformations over parametrised families. Magma incorporates animplementation for hyperelliptic families by Hendrik Hubrechts (see [Hub06] for details).This has a slightly different interface to the other methods (which all run through the sametop-level intrinsics) as it can be used to count points on several members of the family atonce.

SetVerbose("JacHypCnt", v)

Set the verbose printing level for the point-counting on the Jacobians. Currentlythe legal values for v are true, false, 0, 1, 2, 3 or 4 (false is the same as 0, andtrue is the same as 1).

#J

Order(J)

Given the Jacobian J of a hyperelliptic curve defined over a finite field, determinethe order of the group of rational points.

There are 4 optional parameters which concern every genus.NaiveAlg BoolElt Default : false

ShanksLimit RngIntElt Default : 1012

CartierManinLimit RngIntElt Default : 5× 105

UseSubexpAlg BoolElt Default : true


The parameter NaiveAlg can be set to one if one want to use the naive algorithm forpoint counting, consisting in counting points on the curve over the first g extensions,where g is the genus. Setting this parameter to true annihilates the effects ofthe others. By default, this strategy is used for small groups and Jacobians incharacteristic 2 for which no group law is available.

In odd characteristic, Kedlaya’s algorithm can be applied to curves of any genusand it is the default when the group is not too small or the characteristic too large.

In contrast, Mestre’s characteristic 2 method has several conditions on its appli-cability. When these are satisfied and the genus is not too large or the group ordertoo small, it is the default.• Firstly, the Jacobian must be ordinary. This is equivalent to the defining poly-

nomial h(x) having degree g or g + 1 and having distinct roots (ie non-zerodiscriminant).

• Next, there must be a group law available for a final elimination: the algorithmproduces several possibilities for the characteristic polynomial of Frobenius. Ifno group law is available, we attempt to replace the curve with an isomorphicone for which one is. Note that a group law exists if there is a single point atinfinity (degree of h(x) = g).

Warning : Even if these conditions are satisfied, the last phase of the algorithm maystill fail for g ≥ 4 in unusual cases. However, this is very rare. Finally, it should benoted that the main algorithm works over the smallest extension of the ground fieldK over which h(x) splits. It is therefore much faster if h(x) has all its roots in K.

When the genus is > 4 or the canonical lift method doesn’t apply, Vercauteren’sversion of Kedlaya is now used in its place. It is also used for genus 4 when anextension of the base field is required for Mestre: ie, h(x) doesn’t split.

UseGenus2 BoolElt Default : false

For genus 2 the methods mentioned at the start are applied if the parameterUseGenus2 is set to true. Otherwise they are now only used for large characteristic.

If none of the above apply, the remaining methods are the subexponential algo-rithm, which uses the generic machinery of the function fields, and general grouporder algorithms of Shanks and Pollard. The subexponential algorithm will be thefirst choice if no group law is available or the genus is large and the base field small.It can be disabled by setting UseSubexpAlg to false.

The parameter ShanksLimit determines when we switch from a memory-consuming Shanks’ algorithm to a slower Pollard’s method. The value of the pa-rameter CartierManinLimit is the maximal characteristic for which we may usethe Cartier-Manin trick (see function EulerFactorModChar below).

The next 2 parameters are used only for the genus 2 methods in odd character-istic.

UseSchoof BoolElt Default : true

UseHalving BoolElt Default : true


When the base field is large enough, it is better to firstly compute the cardinality ofthe Jacobian modulo some odd primes and some power of two. These two parametersallow the user to disable one or both of these methods.

Example H107E15

In the following sequence of examples the different point counting methods are illustrated. Thefirst example uses direct counting.

> SetVerbose("JacHypCnt",true);


> f := x^8 + 3*x^7 + 2*x^6 + 23*x^5 + 5*x^4 + 21*x^3 + 29*x^2 + 12*x + 9;

> J := Jacobian(HyperellipticCurve(f));

> time #J;

Using naive counting algorithm.

20014

Time: 0.020

Example H107E16

For the second example, we apply Kedlaya’s algorithm to a genus curve 2 over GF (320).

> K := FiniteField(3,20);

> P<x> := PolynomialRing(K);

> f := x^5 + x + K.1;


> #J;

Using Kedlaya’s algorithm.

Applying Kedlaya’s algorithm

Total time: 2.310

12158175772023384771

Example H107E17

For the third example, we apply Vercauteren’s algorithm to a non-ordinary genus curve 2 overGF (225)..



> f := x^5 + x^3 + x^2 + K.1;

> J := Jacobian(HyperellipticCurve([f,K!1]));

> time #J;

Using Kedlaya/Vercauteren’s algorithm.

1125899940397057

Time: 0.680


Example H107E18

For the third example, we apply Mestre’s algorithm to a genus 3 ordinary curve over GF (225).



> h := x*(x+1)*(x+K.1);

> f := x^7 + x^5 + x + K.1;

> C := HyperellipticCurve([f,h]);

> J := Jacobian(C);

> #J;

Using Mestre’s method.

Total time: 0.440

37780017712685037895040

> SetVerbose("JacHypCnt",false);

As the full Euler factor of J has been computed and stored the number of points on C, the Zetafunction for C and the Euler factor for C are now immediate.

> time #C;

33555396

Time: 0.000

Example H107E19

We compare the Shanks and Pollard methods for large prime fields.

> // Comparison between Shanks and Pollard:


> f := x^7 + 123456*x^6 + 123*x^5 + 456*x^4 + 98*x^3 + 76*x^2 + 54*x + 32;


> curr_mem := GetMemoryUsage(); ResetMaximumMemoryUsage();

> time Order(J : ShanksLimit := 10^15);

1001800207033014252

Time: 19.140

> GetMaximumMemoryUsage()-curr_mem;

133583360

The computation took about 100 MB of central memory.

> delete J‘Order; // clear the result which has been stored

> curr_mem := GetMemoryUsage();

> ResetMaximumMemoryUsage();

> time Order(J : ShanksLimit := 0);

1001800207033014252

Time: 95.670

> GetMaximumMemoryUsage()-curr_mem;

0

Now it takes almost no memory, but it is slower (and runtime may vary a lot).


Example H107E20

In the case of genus 2 curves, the parameters UseSchoof and UseHalving do help.

> // Using Schoof and Halving true is generally best in genus 2


> f := x^5 + 456*x^4 + 98*x^3 + 76*x^2 + 54*x + 32;


> time Order(J);

10001648178050390

Time: 7.350

> delete J‘Order;

> time Order(J: UseSchoof := false, UseHalving := false);

10001648178050390

Time: 21.080

But if the Jacobian is known in advance to be highly non–cyclic, it may be slightly better toswitch them off. The Jacobian below is the direct product of two copies of the same supersingularelliptic curve.

> // ... but not always for highly non-cyclic Jacobians


> f := x^5 + 250039*x^4 + 222262*x^3 + 416734*x^2 + 166695*x + 222259;


> time Order(J);

250084007056

Time: 1.920

> delete J‘Order;

> time Order(J : UseSchoof:=false, UseHalving := false);

250084007056

Time: 1.870

FactoredOrder(J)

Given the Jacobian J of a hyperelliptic curve defined over a finite field, the functionreturns the factorization of the order of the group of rational points.

EulerFactor(J)

Given the Jacobian J of a hyperelliptic curve defined over a finite field, the functionreturns the Euler factor J , i.e. the reciprocal of the characteristic polynomial ofFrobenius acting on H1(J). (see also ZetaFunction(C) which is essentially thesame function and has the same behaviour).

EulerFactorModChar(J)

Given the Jacobian J of a hyperelliptic curve defined over a finite field, the functionreturns the Euler factor J modulo the characteristic of the base field. This functionshould not be used in high characteristic (say p should be ≤ 106).


EulerFactor(J, K)

Given a Jacobian J of a hyperelliptic curve defined over the rationals and a finitefield K at which J has good reduction, the function returns the Euler factor of thebase extension of J to K.

107.10.3 Deformation Point Counting

JacobianOrdersByDeformation(Q, Y)

EulerFactorsByDeformation(Q, Y)

ZetaFunctionsByDeformation(Q, Y)

These functions compute the orders of Jacobians (resp. Euler factors, resp. Zetafunctions) of one or more hyperelliptic curves in a 1-parameter family over a finitefield using deformation methods.

Q(x, z) should be a 2-variable polynomial in variables x and z over a finite fieldof odd characteristic k. Currently Q must be monic of odd degree as a polynomialin x. z is the parameter and the familiy of curves is given by y2 = Q(x, z).

Y should be a sequence of elements in a finite field extension K of k. Thefunction then computes and returns the sequence of orders, Euler factors or Zetafunctions associated to the hyperelliptic curves over K obtained by specialising thez parameter of Q(x, z) to the elements of Y .

Over a field of size pn, for n not too large, it is efficient to compute the resultsfor several curves in the family at once, as roughly half of the computation for anindividual curve is taken up in computing a Frobenius matrix that is then specialisedto the parameter value. For a sequence of input parameter values, this part of thecomputation is only performed once at the start. However, as n becomes larger, thetime taken for the specialisation at a particular value starts to dominate.

The field k over which the family is defined should be of small degree over theprime field. This is because Kedlaya’s algorithm is applied over k to a particularmember of the family with the parameter specialised to a k-value to initialise thedeformation.

Similarly, the algorithm is much faster when Q(x, z) is of small degree in theparameter z. In practice, the degree of Q(x, z) as a polynomial in z, probablyshouldn’t exceed 3 or 4 (linear is obviously best).

There are two further conditions on Q and Y which we will try to remove in thenear future. The first is that no Y -value is zero. The second is that the genericdiscriminant of Q (resultant of Q and ∂Q/∂x w.r.t. x) must have leading coefficient(as a polynomial in z) a unit in W (k). Here, W (k) is the ring of integers of theunramified extension of Qp with residue class field k and Q is a lift of Q to a 2-variable polynomial over W (k). By translating and scaling the parameter, the usermay be able to effect these two conditions if they aren’t initially satisfied.

As with the other point-counting functions, the verbose flag JacHypCnt can beused to output information during processing.


Example H107E21

The following is a small example where the Euler factors for 4 random members of a linear familyof elliptic curves are computed with a single call. The base field is F9 and the parameter valuesare taken in F340 which is the field over which the counting occurs.

> Fp := FiniteField(3^2);

> R<X,Y> := PolynomialRing(Fp,2);

> Q := X^3+X^2-2*X+Fp.1+Y*(X^2-X+1);

> Fq := ext<Fp | 20>;

> values := [Random(Fq) : i in [1..4]];

> EFs := EulerFactorsByDeformation(Q,values);

> EFs;

[

12157665459056928801*$.1^2 + 852459373*$.1 + 1,

12157665459056928801*$.1^2 + 1088717005*$.1 + 1,

12157665459056928801*$.1^2 + 6911064226*$.1 + 1,

12157665459056928801*$.1^2 - 607949990*$.1 + 1

]

107.10.4 Abelian Group Structure

Sylow(J, p)

Given the Jacobian J of a hyperelliptic curve defined over a finite field and a primep, this function returns the Sylow p-subgroup of the group of rational points of J ,as an abstract abelian group A. The injection from A to J is also returned as wellas the generators of the p-Sylow subgroup.

AbelianGroup(J)

UseGenerators Bool Default : false

Generators SetEnum Default :

Given the Jacobian J of a hyperelliptic curve defined over a finite field K, thisfunction returns the group of rational points of J as an abstract abelian group A.The isomorphism from A to J(K) is returned as a second value.

If UseGenerators is set then the group structure computation is achieved byextracting relations from the user-supplied set of generators in Generators.

HasAdditionAlgorithm(J)

Returns true if and only if the Jacobian J has an addition algorithm. This is ofinterest when trying to construct the (abelian) group structure of J : When nouser-supplied generators are given, such an algorithm must be present.


107.11 Jacobians over Number Fields or QSome functions in this section work for general number fields (notably TwoSelmerGroup),while many are only implemented over Q.

107.11.1 Searching For Points

Points(J)

RationalPoints(J)

Bound RngInt Default : 0Given a Jacobian J of a genus 2 hyperelliptic curve defined over the rationals of theform y2 = f(x), where f has integral coefficients, determine all rational points onthe Jacobian J whose naive height on the associated Kummer surface is less thanor equal to Bound.

107.11.2 Torsion

TwoTorsionSubgroup(J)

Given the Jacobian J of a genus 2 curve C defined over a number field K, the functionreturns J(K)[2] as an abstract group, together with a map sending elements of theabstract group to points on J . The curve C must be given in the simplified formy2 = f(x).

TorsionBound(J, n)

Given the Jacobian J of a hyperelliptic curve defined over the rationals, this functionreturns a bound on the size of the rational torsion subgroup of the Jacobian. Thebound is obtained by examining the group J(Fp) for the first n good primes p.

TorsionSubgroup(J)

Given the Jacobian J of a genus 2 curve defined over the rationals, this functionreturns the rational torsion subgroup of J , and the map from the group into J . Thecurve must have the form y2 = f(x) with integral coefficients.

Example H107E22

For the curveC : y2 = (x + 3) ∗ (x + 2) ∗ (x + 1) ∗ x ∗ (x− 1) ∗ (x− 2),

the only Q-rational torsion on the Jacobian is 2-torsion.


> C := HyperellipticCurve(&*[x-n : n in [-3..2]]);

> J := Jacobian(C);

> T, m := TwoTorsionSubgroup(J);

> T;

Abelian Group isomorphic to Z/2 + Z/2 + Z/2 + Z/2



Relations:

2*P[1] = 0

2*P[2] = 0

2*P[3] = 0

2*P[4] = 0

> [ m(T.i) : i in [1..4] ];

[ (x^2 - 3*x + 2, 0, 2), (x^2 - 2*x, 0, 2), (x^2 - x - 2, 0, 2),

(x^2 - 4, 0, 2) ]

> #T eq #TorsionSubgroup(J);

true

The Jacobian for the following curve has torsion subgroup Z/24 over Q.

> C := HyperellipticCurve((2*x^2-2*x-1)*(2*x^4-10*x^3+7*x^2+4*x-4));

> J := Jacobian(C);

> T, m := TwoTorsionSubgroup(J);

> T;



Relations:

2*P[1] = 0

> m(T.1);

(x^2 - x - 1/2, 0, 2)

> A,h := TorsionSubgroup(J);

> #T eq #A;

false

> A;



Relations:

24*P[1] = 0

> P := h(A.1);

> P;

(x^2 - 1/2, -1, 2)

> Order(P);

24

> 12 * P eq m(T.1);

true


107.11.3 Heights and RegulatorThis section pertains to height functions on the Mordell–Weil group of the Jacobian ofgenus two curves over Q. The canonical height is computed using the algorithm of Flynnand Smart[FS97] with improvements by Stoll[Sto99].

Notes on the theory: Heights are a useful tool for proving things about rational pointson varieties. The most standard applications concerning points on Jacobians are• proving independence of points in J(Q)/Jtors(Q) (in particular, the regulator is defined

in terms of the canonical height), and• proving non-divisibility: given P ∈ J(Q) and n ∈ Z, proving that P is not of the form

nR for some R ∈ J(Q).The heights in this section are logarithmic, and they measure the size of the coordinates

of the image of P on the Kummer surface associated to J (embedded in P3). The naiveheight h is simply the height of the image of P in P3. One can refine this, taking advantageof the group law on J , defining a canonical height which has nice properties with respectto the group law, for instance hcan(nP ) = n2hcan(P ). In particular, hcan(P ) = 0 if andonly if P is a torsion point. The function h− hcan is bounded on J(Q). Computationally,one generally wants an upper bound on this, because then one can find all points up to agiven canonical height by doing a naive search.

NaiveHeight(P)

Given a point P on the Jacobian of a hyperelliptic curve (or on the associatedKummer surface), the function returns the logarithmic height of the image of P inP3 under the maps J → K → P3.

Height(P: Precision)

CanonicalHeight(P: Precision)

Precision RngIntElt Default : 0The canonical height of a point on the Jacobian of a hyperelliptic curve over Q (oron the associated Kummer surface).

HeightConstant(J: parameters)

Effort RngIntElt Default : 0Factor BoolElt Default : false

Given the Jacobian J of a genus 2 curve over Q of the form y2 = f(x) with integralcoefficients, this computes a real number c such that h(P ) ≤ hcan(P ) + c for all Pin J(Q), where h is the naive height and hcan is the canonical height.

The parameter Effort (which can be 0, 1 or 2) indicates how much effort shouldbe put into finding a good bound. The second value returned is a bound for µ∞,the contribution from the infinite place. If the parameter Factor is true, then thediscriminant will be factored, and its prime divisors will be considered individually,usually resulting in an improvement of the bound.


HeightPairing(P, Q: Precision)


The value of the canonical height pairing for rational points P and Q on the Jacobianof a genus 2 curve. The pairing can be defined as 〈P, Q〉 := (h(P + Q) − h(P ) −h(Q))/2.

HeightPairingMatrix(S: Precision)


Given a sequence [P1, ...Pn] of points on the Jacobian J of a hyperelliptic curve, thisfunction returns the matrix with entries 〈Pi, Pj〉, where this denotes the canonicalheight pairing.

Regulator(S: Precision)


Given a sequence S of points on the Jacobian J of a hyperelliptic curve, the functionreturns the determinant of the height pairing matrix of S. The regulator is equalto zero when the points are dependent in the Mordell–Weil group, and otherwise isequal to the square of the volume of the parallelotope spanned by the points in thesubgroup of the free quotient of J(Q) generated by S.

ReducedBasis(S: Precision)


Given a sequence of points on the Jacobian J of a hyperelliptic curve, this functionreturns an LLL-reduced basis for the subgroup of J(Q)/Jtors(Q) generated by thegiven points (that is, the function reduces the real lattice formed by the points,under the positive definite quadratic form given by the canonical height pairing).The height pairing matrix of the sequence is returned as a second value.

Example H107E23

This example illustrates some basic properties of heights, and proves that a certain point in J(Q)is not a nontrivial multiple of any other point in J(Q). Let J be the Jacobian of y2 = x6 +x2 +2.



> J := Jacobian(C);

Find some small points on C and map them to J:

> ptsC := Points(C : Bound:=1000);

> ptsJ := [ ptsC[i] - ptsC[1] : i in [2,3,4,5,6] ];

> ptsJ;

[ (1, x^3, 2), (x + 1, x^3 - 1, 2), (x + 1, x^3 + 3, 2), (x - 1, x^3 - 3, 2),


(x - 1, x^3 + 1, 2) ]

The canonical heights of these five points:

> [ Height(P) : P in ptsJ ];

[ 0.479839797450405152023279542502, 0.000000000000000000000000000000,

0.479839797450405152023279542491, 0.479839797450405152023279542491,

0.000000000000000000000000000000 ]

We see that two of them are torsion (hcan = 0), and the others are probably equal or inverse toeach other modulo torsion, because they appear to have the same canonical height. If so, theywould generate a subgroup of rank 1 in J(Q)/Jtors(Q). The next command verifies this.

> ReducedBasis(ptsJ);

[ (x + 1, x^3 + 3, 2) ]

[0.479839797450405152023279542491]

> P := ptsJ[3];

> P;

(x + 1, x^3 + 3, 2)

So this point (which is the third point in our list) generates the others. We proceed to check thatthe other two non-torsion points in our list are equal to P + T or −P + T for some torsion pointT .

> Jtors, maptoJ := TorsionSubgroup(J);

> ptsJ[1], ptsJ[4] subset pt + maptoJ(T) : pt in P,-P, T in Jtors ;

true

Now we check the property hcan(nP ) = n2hcan(P ) for n = 23.

> Height(23*P)/Height(P);

529.000000000000000000000000000

Of course, the naive height does not behave so nicely, but at least it should satisfy

h ≤ hcan + HeightConstant(J).

> HC := HeightConstant(J : Effort:=2, Factor);

> HC;

3.73654623288305720113473940376

In particular, all torsion points should have naive height less than this.

> for T in Jtors do

> NaiveHeight(maptoJ(T));

> end for;

0.000000000000000000000000000000

0.693147180559945309417232121458

0.693147180559945309417232121458

0.693147180559945309417232121458

0.693147180559945309417232121458

0.693147180559945309417232121458

0.693147180559945309417232121458


0.693147180559945309417232121458

> // Does the inequality hold for 23*P?

> NaiveHeight(23*P) - Height(23*P) le HeightConstant(J);

true

Finally, we show that P is not a nontrivial multiple of another point in J(Q)/Jtors(Q) (implyingthat P generates J(Q)/Jtors(Q) if this has rank 1). For suppose that P = nQ + T for someQ ∈ J(Q), T ∈ Jtors(Q). Then hcan(Q) = (1/n2)hcan(P ) < hcan(P ), and the following searchshows there is no Q satisfying this bound.

> LogarithmicBound := Height(P) + HeightConstant(J); // Bound on the naive h(Q)

> AbsoluteBound := Ceiling(Exp(LogarithmicBound));

> PtsUpToAbsBound := Points(J : Bound:=AbsoluteBound );

> ReducedBasis( [ pt : pt in PtsUpToAbsBound ]);

[ (x^2 + 1/2*x + 1/2, 1/4*x - 5/4, 2) ]

[0.479839797450405152023279542491]

If Q exists, it would have to be in the set PtsUpToAbsBound. But the results of the final com-mand indicate that the group generated by PtsUpToAbsBound is also generated by a single pointof canonical height 0.479839797450405152023279542491, so there are no nontorsion points Q inPtsUpToAbsBound with hcan(Q) < hcan(P ).This example is continued in Example H107E27, where we prove that J(Q) has rank 1, and thenuse the fact that P generates J(Q)/Jtors(Q) to find all rational points on C.

Example H107E24

We compute a reduced basis for a set of points on the Jacobian J on the genus two curveC : y2 = x6 + x2 + 1.



> J := Jacobian(C);

We construct some points on C:

> Z := PointsAtInfinity(C);

> Z;

@ (1 : -1 : 0), (1 : 1 : 0) @

> P1 := Z[1];

> P2 := Z[2];

> P3 := C![1/2,9/8,1];

> P4 := C![-1/2,9/8,1];

We now map them to J (for example Q1 is the divisor P1− P2):

> Q1 := J![P1, P2];

> Q2 := J![P1, P3];

> Q3 := J![P3, P4];

> B, M := ReducedBasis([Q1, Q2, Q3] : Precision := 12);

> B; // This will be a basis for <Q1, Q2, Q3>

[ (1, -x^3, 2), (x^2, 1, 2) ]

> M; // The height pairing matrix for the new basis B


[0.2797317933688278287667056839 -5.005347463630776922E-17]

[ -5.005347463630776922E-17 0.9524462128097307697800077959]

> Determinant(M);

0.2664294871966142247655164984

Since Det(M) is nonzero, the two generators in B are independent.

107.11.4 The 2-Selmer GroupThe principal functions in this section provide information about the Mordell-Weil groupJ(K) of a hyperelliptic Jacobian defined over the rationals or a number field. Two descentprovides an upper bound (since J(K)/2J(K) embeds in the 2-Selmer group of J). Finerinformation is provided by HasSquareSha, which determines the parity of the 2-rank ofthe Shafarevich–Tate group, and RankBounds collects together all the information that iscomputable in Magma.

In Magma 2.13, there is now a simpler user interface for computing 2-Selmer groups.The two implementations that were previously available still exist internally, and whenTwoSelmerGroup is called, it chooses one of them (or the user may choose).

BadPrimes(C)

BadPrimes(J)

Badness RngIntElt Default : 1

Given a hyperelliptic curve C with integral coefficients defined over a number field(or the Jacobian of such a curve), the function returns a sequence containing theprimes where the given model has bad reduction.

HasSquareSha(J)

IsEven(J)

Given the Jacobian of a hyperelliptic curve over Q or a number field, and assumingthat the Shafarevich-Tate group of J is finite, this returns true if and only if theorder of the Shafarevich-Tate group is a square. (Otherwise, the order is twice asquare, as shown by Poonen and Stoll in [PS99]). The order is square if and only ifthe number of “deficient” primes for C is even (see below).

IsDeficient(C, p)

For a genus 2 curve defined over Q or a number field, this returns true if C is“deficient” at p. By definition, the curve is deficient if there are no points on Cdefined over any extension of odd degree over Qp (when p is a prime) or over R(when p is 0). Equivalently, C is deficient if there is no Qp-rational divisor of odddegree on C.


RankBound(J)

RankBounds(J)

An upper bound, or a lower and an upper bound, on the rank of the Mordell-Weilgroup of J , which should be the Jacobian of a hyperelliptic curve over the rationalsor a number field, for which the TwoSelmerGroup can be computed.

TwoSelmerGroup(J)

Al MonStgElt Default :

Fields SetEnum Default :

ReturnFakeSelmerData BoolElt Default : false

ReturnRawData BoolElt Default : false

Verbose Selmer Maximum : 3The 2-Selmer group of the Jacobian of a hyperelliptic curve defined over Q or anumber field. The curve must either have a single point at infinity (for curves inthe simplified form y2 = f(x), this is equivalent to f(x) having odd degree), or elsethe curve must be of genus 2 and defined over Q. The algorithm may work betterwhen an integral model of the curve is given (or better yet, a minimal model).

The Selmer group is returned as a finite abelian group S, together with a mapfrom S to some affine algebra A, which represents the standard map from the Selmergroup to A∗/(A∗)2 or to A∗/(A∗)2Q∗ (depending whether the degree of f is odd oreven).

Two separate implementations exist internally in Magma. (Prior to V2.13 thesewere available as the intrinsics TwoSelmerGroup and TwoSelmerGroupData). Theuser can specify which implementation is used, by setting the optional parameter Alto "TwoSelmerGroupOld" or to "TwoSelmerGroupData"; otherwise, an appropriatechoice is made automatically.

Much of the computation time is usually spent on class group and unit calcu-lations. These computations can be speeded up by using non-rigorous bounds,and there are two ways to control which bounds are used. The recommendedway is to preset them using one of the intrinsics SetClassGroupBounds orSetClassGroupBoundMaps (see 31.6.1). The other way is to precompute the classgroups of the fields involved (with the desired optional parameters in ClassGroup),and then pass these fields to TwoSelmerGroup via the optional parameter Fields.The class group data is stored, and if TwoSelmerGroup requires a field that is iso-morphic to one of the given Fields, the stored data will automatically be used.The relevant fields are those given by the roots of f , where y2 = f(x) is theSimplifiedModel of the curve.

When called with ReturnFakeSelmerData, the program returns an additionalitem, which specifies the “fake Selmer group” in the terminology of [Sto01]. (This isonly relevant to the even degree case.) The returned object is a tuple 〈B1, B2, B3〉,where B1 is a sequence of elements in A that span a subgroup S1 of A∗/(A∗)2, andB2 and B3 are sequences of integers that span subgroups S2 and S3 of Q∗/(Q∗)2.


The fake Selmer group S is then determined by the exact sequence 0 → S3 → S2 →S1 → S → 0. See [Sto01] for a full explanation of this.

When called with ReturnRawData (which is only available in the odd degreecase), the program additionally returns a third item expvecs and a fourth itemfactorbase. These specify the images in A∗/(A∗)2 of the Selmer group generators(in unexpanded form). The factorbase is a sequence of elements fj of A, andexpvecs is a sequence of vectors in ZF , where F is the number of elements in thefactorbase. The image in A∗/(A∗)2 of the ith Selmer group generator is then thesum over j of f

ej

j where (ej) is the ith exponent vector.

Example H107E25

In this example, we find out as much as we can about the Mordell-Weil group of the Jacobian of

y2 = x(x + 13442)(x + 108152)(x + 54062)(x + 27002).

First define the curve and its Jacobian:


> pol := x*(x+1344^2)*(x+10815^2)*(x+5406^2)*(x+2700^2);

> C := HyperellipticCurve( pol );

> J := Jacobian(C);

> J;

Jacobian of Hyperelliptic Curve defined by

y^2 = x^5 + 155285397*x^4 + 4761213301312596*x^3 + 33018689414366470785600*x^2

+ 45012299099933971943424000000*x over Rational Field

We can search for points on C (with x-coordinate up to Bound):

> ptsC := Points(C : Bound := 10^6);

> ptsC;

@ (1 : 0 : 0), (0 : 0 : 1), (43264 : -44828581639628800 : 1),

(43264 : 44828581639628800 : 1) @

> pointAtInfinity := ptsC[1];

This pointAtInfinity (1 : 0 : 0) might not seem to lie on C, but recall that in Magma, a hyperel-liptic curve lives in a weighted projective plane. We can also search for points on the Jacobian,which takes longer:

> time ptsJ := Points(J : Bound := 2000);

Time: 0.670

> ptsJ;

@ (1, 0, 0), (x, 0, 1) @

The notation for points on J is explained in the section “Points on the Jacobian” in this chapter.The points appearing above are the trivial point on J , and the point corresponding to the divisor(0 : 0 : 1)− (1 : 0 : 0) on C.

> ptsJ[1] eq J!0; // Is the first point equal to 0 on J?

true


> Order( ptsJ[2] );

2

So far, we have only found some trivial points on J . In fact, we can see from the equation that Jhas full 2-torsion, which we now confirm.

> Jtors, map := TorsionSubgroup(J);

> Jtors;

Abelian Group isomorphic to Z/2 + Z/2 + Z/2 + Z/4


Relations:

2*P[1] = 0

2*P[2] = 0

2*P[3] = 0

4*P[4] = 0

Jtors is an abstract group, and map converts elements of Jtors to actual points on J . Here arethe generator of the Z/4 and its inverse.

> map(Jtors.4);

> map(3*Jtors.4);

(x^2 + 32963094*x - 212161021632000, 94792247622*x - 2005558137487296000, 2)

(x^2 + 32963094*x - 212161021632000, -94792247622*x + 2005558137487296000, 2)

Looking at the points on C we found above, the third of them looks nontrivial, so we find itsorder on J :

> P := ptsC[3];

> PJ := J![ P, pointAtInfinity ];

> PJ;

(x - 43264, -44828581639628800, 1)

> Order(PJ);

0

This means PJ has infinite order on J . Now we do two-descent on J :

> #TwoSelmerGroup(J);

64

We already knew that J(Q)[2] has order 16, and that the rank of J(Q) is at least 1, so we nowknow that the rank is either 1 or 2. We now ask whether the order of Sha(J) is a square or twicea square (assuming it is finite):

> HasSquareSha(J);

true

It follows (assuming Sha(J) is finite) that Sha(J) has odd order, and that J(Q) has rank 2, eventhough the other generator of J(Q) is probably not easy to find, especially if does not come froma point on C.For more examples of Selmer group computations, see the next section.


Example H107E26

We produce some Jacobians for which the order of the Tate-Shafarevich group is twice a square(assuming it is finite). We then observe how this affects the rank bounds.A good source of examples are curves y2 = 3(x6 − x2 + a) for a = 1 mod 3, since these curves are“deficient” at 3 (for the definition, see above); this can be proved by elementary arguments. Wenow list those (for a up to 50) which have nonsquare Sha.


> for a := 1 to 50 do

> if a mod 3 eq 1 then

> Ca := HyperellipticCurve( 3*(x^6-x^2+a) );

> assert IsDeficient(Ca,3);

> // (This causes a failure if our assertion is wrong.)

> if not HasSquareSha(Jacobian(Ca)) then print Ca; end if;

> end if;

> end for;

Hyperelliptic Curve defined by y^2 = 3*x^6 - 3*x^2 + 12 over Rational Field











Aside: we could have tried simply y2 = 3(x6 + a) for a = 1 mod 3, but this won’t produce anyexamples: it’s a cute exercise to show that for these curves, the number of deficient primes isalways even.Now consider the Mordell-Weil rank of the second curve listed (where a = 7),

> C7 := HyperellipticCurve( 3*(x^6-x^2+7) );

> J := Jacobian(C7);

> #TwoTorsionSubgroup(J);

1

> #TwoSelmerGroup(J);

2

> RankBound(J);

0

There is no nontrivial 2-torsion in J(Q), and the Selmer group has order 2. The program haschecked that the order of the Tate-Shafarevich group is twice a square (hence the 2-rank of Shais exactly 1), and therefore it has returned a RankBound indicating that J(Q) has rank 0. Thisrank bound is unconditional. In fact, the computation proves that there is a subgroup Z/2 in Shamodulo the subgroup of infinitely divisible elements; therefore one may also deduce unconditionallythat the 2-power part of Sha is finite cyclic (since if there was an infinitely 2-divisible part, itwould still contribute to the 2-Selmer group).


107.12 Chabauty’s MethodThis is a method for finding the rational points on a curve C of genus at least 2, thatapplies when the Mordell-Weil group of Jac(C) has rank less than the genus of C. Itinvolves doing local calculations at some prime where C has good reduction.

The method is implemented here for (hyperelliptic) genus 2 curves over Q. There aretwo cases to consider:• J(Q) has rank 0. This case is trivial, because one can enumerate all points in J(Q),

and then find C(Q). The function that does this is Chabauty0.• J(Q) has rank 1. The user chooses a small prime of good reduction. In this case (or in

general, when the rank is one less than the genus) the results are likely to become lessuseful for larger primes.

Brief outline of the theory: Under the assumption that the rank of J = Jac(C) is strictlyless than the genus of C, the closure V of J(Q) in J(Qp) (in the p-adic topology) can bedescribed as the locus where certain power series vanish. The dimension of V is at mostthe rank of J(Q). The image of C in J (under a natural embedding) will intersect V in afinite set, and this set must contain C(Q). By examining the power series that define thisfinite intersection, one obtains upper bounds for the number of points on C(Q) in eachcongruence class modulo p (or any power of p).

Chabauty0(J)

Given the Jacobian of a hyperelliptic curve C over Q, the function finds all rationalpoints on C, under the assumption that J(Q) has rank zero.

The assumption is not checked. When it does not hold, the function computesa subset of C(Q) corresponding (in some sense) to the torsion in J(Q).

Chabauty(P, p: Precision)

Precision RngIntElt Default : 5Given a point on the Jacobian of a hyperelliptic curve C over Q, the function usesChabauty’s method (at the prime p) to bound the number of rational points onthe curve C, The curve must have good reduction at the prime p, and the point Pshould generate a subgroup of index coprime to p in J(Q)/Jtors(Q). The algorithmassumes that C is in the simplified form y2 = f(x), where f has integral coefficients.

The function returns an indexed set of tuples 〈x, z, v, k〉 such that there are atmost k pairs of rational points on C whose image in P 1 under the x-coordinate mapare congruent to (x : z) modulo pv, and such that the only rational points on Coutside these congruences classes are Weierstrass points.

If the optional parameter Precision is supplied, then in the returned data eachof the v’s will be greater than or equal to Precision. (This might take some timebecause the algorithm is not optimised for this.)


Example H107E27

In this example, which continues Example H107E23, we prove that the curve y2 = x6 + x2 + 2has only the obvious six rational points.



> ptsC := Points(C : Bound:=1000); ptsC;

@ (1 : -1 : 0), (1 : 1 : 0), (-1 : -2 : 1), (-1 : 2 : 1),

(1 : -2 : 1), (1 : 2 : 1) @

> J := Jacobian(C);

> RankBound(J);

1

So the Jacobian has rank at most 1. Next we ask whether any of the points on C give us pointsof infinite order on J .

> PJ1 := J! [ ptsC[3], ptsC[1] ];

> Order(PJ1);

8

> PJ2 := J! [ ptsC[5], ptsC[1] ];

> Order(PJ2);

0

This means PJ2 has infinite order in J(Q). In Example H107E23 we proved that PJ2 is notdivisible in J(Q). Since we now know J(Q) has rank 1, we can conclude that PJ2 is a generatorof J(Q)/J(Q)tors. Therefore we can use it for Chabauty’s method, at any prime where C hasgood reduction. We will use 3, since this is the smallest good prime.

> BadPrimes(C);

[ 2, 7 ]

> Chabauty(PJ2, 3);

@ <1, 1, 4, 1>, <80, 1, 4, 1>, <1, 0, 4, 1> @

This tells us that there are at most 3 pairs of rational points on C, apart from the Weierstrasspoints. In fact, one can easily check that there are no rational Weierstrass points. Therefore, the6 known points are the only rational points on C. We could also have obtained the same resultby applying Chabauty at the prime 5:

> Chabauty(PJ2, 5);

@ <1, 1, 4, 1>, <624, 1, 4, 1>, <1, 0, 4, 1> @

Example H107E28

Sometimes the bounds obtained from Chabauty’s method are not sharp. For instance, the curvey2 = x6 + 8 has only six small points. This example proves that there are at most eight points,and that if the two extra points really exist, they must satisfy some rather improbable conditions.



> ptsC := Points(C : Bound:= 1000);


> ptsC;

@ (1 : -1 : 0), (1 : 1 : 0), (-1 : -3 : 1), (-1 : 3 : 1),

(1 : -3 : 1), (1 : 3 : 1) @

> J := Jacobian(C);

> PJ := J! [ ptsC[5], ptsC[1]];

> Order(PJ);

0

> RankBound(J);

1

This shows that J(Q) has rank 1, and PJ has infinite order. Now we check that PJ generatesJ(Q)/Jtors(Q). (For more explanation, see the similar calculation in Example H107E23).

> heightconst := HeightConstant(J : Effort:=2, Factor);

> LogarithmicBound := Height(PJ) + heightconst; // Bound on h(Q)

> AbsoluteBound := Ceiling(Exp(LogarithmicBound));

> PtsUpToAbsBound := Points(J : Bound:=AbsoluteBound );

> ReducedBasis([ pt : pt in PtsUpToAbsBound ]);

[ (x^2 - x + 1, 3, 2) ]

[0.326617338771488428260076768590]

> Height(PJ);

0.326617338771488428260076768590

This shows there are no points in J(Q) with canonical height smaller than that of PJ , so PJ isa generator modulo torsion and we may use it for Chabauty’s method, at any good prime.

> BadPrimes(C);

[ 2, 3 ]

> Chabauty(PJ,5);

@ <1, 1, 4, 1>, <1, 0, 10, 2>, <624, 1, 4, 1> @

This tells us there are at most 8 non-Weierstrass points.

> Chabauty(PJ,7);

@ <1, 1, 4, 1>, <0, 1, 4, 1>, <1048, 1, 4, 1>, <1354, 1, 4, 1>,

<1353, 1, 4, 1>, <1, 0, 10, 2>, <2400, 1, 4, 1>, <1047, 1, 4, 1> @

> // Useless!!

> Chabauty(PJ,11);

@ <1, 1, 4, 1>, <14640, 1, 4, 1>, <0, 1, 0, 3>, <1, 0, 10, 2> @

> Chabauty(PJ,13);

@ <28560, 1, 4, 1>, <1, 0, 10, 2>, <1, 1, 4, 1> @

With p = 13 we again get an upper bound of 8.

> Chabauty(PJ,17);

@ <1, 1, 4, 1>, <1, 0, 10, 2>, <83520, 1, 4, 1>, <0, 1, 4, 1> @

> Chabauty(PJ,19);

@ <130320, 1, 4, 1>, <127502, 1, 4, 1>, <127501, 1, 4, 1>, <1, 0, 10, 2>,


<1, 1, 4, 1>, <2819, 1, 4, 1>, <2820, 1, 4, 1> @

We probably won’t get a sharper result by continuing to try larger primes. However, if therereally is a pair of points (X : Y : Z) that we haven’t found, they must satisfy Z/X = 0 mod 510,and also Z/X = 0 mod 1310, and we can sharpen the congruences as much as we like:

> time Chabauty(PJ,5 : Precision:=40);

@ <1, 1, 39, 1>, <1, 0, 28, 2>, <-1, 1, 39, 1> @

Time: 23.070

So the two hypothetical points must satisfy Z/X = 0 mod 528.

Example H107E29

We use Chabauty0 to find all rational points on y2 = x6 + 1.



> J := Jacobian(C);

> RankBound(J);

0

J(Q) has rank 0, so Chabauty0 will give us all rational points on C.

> Chabauty0(J);

@ (1 : -1 : 0), (1 : 1 : 0), (0 : 1 : 1), (0 : -1 : 1) @

This Selmer computation required some class/unit computations in the fields given by roots ofx6 + 1. In this example, there’s clearly an approach requiring less work: to use the self-evidentmap from C to the elliptic curve y2 = x3 + 1, which has rank 0.To define the map, we need to refer to the space where C lives, which is a weighted projectivespace in which Y has weight 3.

> E := EllipticCurve([0,1]);

> Pr2<X,Y,Z> := Ambient(C);

> CtoE := map< C -> E | [X^2*Z,Y,Z^3] >;

The map is well-defined (otherwise Magma would have already complained).

> CtoE;

Mapping from: CrvHyp: C to CrvEll: E

with equations :

X^2*Z

Y

Z^3

Now find the rational points on E.

> Rank(E);

0

> #TorsionSubgroup(E);

6

> ptsE := Points(E : Bound:=100 );

> ptsE;


@ (0 : 1 : 0), (-1 : 0 : 1), (0 : 1 : 1), (0 : -1 : 1),

(2 : 3 : 1), (2 : -3 : 1) @

So, these are all the rational points on E. We can see with the naked eye that only those withX = 0 pull back to rational points on C, giving us the same six points on C that we found before.Of course, we could instead ask Magma to pull them back:

> for P in ptsE do

> preimageofP := P @@ CtoE;

> Points(preimageofP);

> end for;

@ (1 : -1 : 0), (1 : 1 : 0) @

@ @

@ (0 : 1 : 1) @

@ (0 : -1 : 1) @

@ @

@ @

Example H107E30

In Example H107E25 (in the section on 2-Selmer groups) we found a curve of rank 2. Althoughwe cannot apply Chabauty’s method to bound the number of points on C, we can still apply themethod to find all points on C whose images on J lie in a given subgroup of rank 1.


> C := HyperellipticCurve( x*(x+1344^2)*(x+10815^2)*(x+5406^2)*(x+2700^2) );

> J := Jacobian(C);

> ptsC := Points(C : Bound := 10^6);

> ptsC;

@ (1 : 0 : 0), (0 : 0 : 1), (43264 : -44828581639628800 : 1), (43264 :

44828581639628800 : 1) @

> PJ := J! [ ptsC[3], ptsC[1] ];

> Order(PJ);

0

Now we try to bound the set of points on C whose images in J(Q) lie in the subgroup of rank 1generated by PJ . The best available choice of p seems to be 13:

> BadPrimes(C);

[ 2, 3, 5, 7, 11, 17, 41, 53, 103, 113, 193, 337, 541, 601, 677, 5407 ]

> Chabauty(PJ, 13);

@ <43264, 1, 10, 1> @;

This is telling us that there is at most one pair of non-Weierstrass points on C whose images inJ(Q) lie in 〈PJ〉. We already have two non-Weierstrass points in our list of points on C, andtheir images are PJ and −PJ , so now we know we have found all such points.


107.13 Kummer Surfaces

Currently the only Kummer surfaces in Magma are the Kummer surfaces associated toJacobians of genus 2 curves. (The Kummer surface associated to a Jacobian J is a desingu-larisation of the quotient of J by the inverse map.) They are implemented mainly to helpwith computations on Jacobians. The main nontrivial functionality for Kummer surfacesis point searching.

107.13.1 Creation of a Kummer Surface

KummerSurface(J)

The Kummer surface of the Jacobian J of a genus 2 curve.

107.13.2 Structure Operations

DefiningPolynomial(K)

The defining polynomial of the Kummer surface K.

107.13.3 Base Ring

BaseField(K)

BaseRing(K)

CoefficientRing(K)

The base field of the Kummer surface K.


BaseChange(K, F)

BaseExtend(K, F)

Extends the base field of the Kummer surface K to the field F .

BaseChange(K, j)

BaseExtend(K, j)

Extends the base field of the Kummer surface K by the map j, where j is a ringhomomorphism with the base field of C as its domain.

BaseChange(K, n)

BaseExtend(K, n)

Extends the finite base field of the Kummer surface K over a finite field to thedegree n extension.


107.14 Points on the Kummer SurfacePoints are given by their projective coordinates, normalized depending on the base field.


K ! 0

Returns the image of the identity element on the Kummer surface K, which isnormalized to be the origin (0 : 0 : 0 : 1).

K ! [x1, x2, x3, x4]

Returns the point on the Kummer surface K defined by the projective coordinatesx1, x2, x3, and x4.

K ! P

Given a point P on the Jacobian of K, or on a Kummer surface for which K is abase extension, this returns the point on K.

IsPoint(K, S)

Given a sequence S = [x1, x2, x3, x4] of elements of the base field of K, the functionreturns true if the point specified by the sequence defines the homogeneous coordi-nates of a point on the Kummer surface K. If so, the corresponding point on K isreturned as the second value.

Points(K,[x1, x2, x3])

Returns the indexed set of points on the Kummer surface K with first three coor-dinates given by the sequence [x1, x2, x3].


P[i]

Returns the i-th coordinate of the point P , for 1 ≤ i ≤ 4.

Eltseq(P)


Given a point P on a Kummer surface, the function returns the coordinates of P asa sequence.


P eq Q

Given two points on the same Kummer surface, this returns true if and only if thepoints P and Q are equal.

P ne Q

Given two points on the same Kummer surface, this returns false if and only if thepoints P and Q are equal.


107.14.4 Arithmetic of Points

-P

Returns the negation of the point P on the Kummer surface, equal to P itself.

n * P

P * n

Returns the n-th multiple of the point P on the Kummer surface K.

Double(P)

Returns the double 2 ∗ P of the point P .

PseudoAdd(P1, P2, P3)

Let P and Q be points on the Jacobian J of a genus 2 curve. Given the images P1,P2, and P3 on the Kummer surface of points P , Q, and P − Q on J , the functionreturns the image of P + Q.

PseudoAddMultiple(P1, P2, P3, n)

Let P and Q be points on the Jacobian J of a genus 2 curve. Given the images P1,P2, and P3 on the Kummer surface of points P , Q, P −Q on J , the function returnsthe image of P + n ∗Q.

107.14.5 Rational Points on the Kummer Surface

RationalPoints(K, Q)

Given the Kummer surface of the Jacobian of a genus 2 hyperelliptic curve definedover a ring R and sequence Q of three elements of R, the function returns anindexed set containing those points on K whose first three coordinates correspondto the three terms of Q.

Example H107E31

We search for some points on the Kummer surface of the hyperelliptic curve y2 = x5 − 7 definedover the rational field.


> C := HyperellipticCurve(x^5-7);

> Genus(C);

2

> J := Jacobian(C);

> K := KummerSurface(J);

> K;

Kummer surface of Jacobian of Hyperelliptic Curve defined by

y^2 = x^5 - 7 over Rational Field

> Points(K, [0,1,2]);

@ (0 : 1 : 2 : 4) @

> Points(K, [1,3,2]);


@ @

> Points(K, [0,1,3]);

@ (0 : 1 : 3 : 9) @

107.14.6 Pullback to the Jacobian

Points(J, P)

RationalPoints(J, P)

Given a point P on the Kummer surface associated to the Jacobian J (of a genus 2curve), the function returns the indexed set of points on J mapping to P .

107.15 Analytic Jacobians of Hyperelliptic CurvesThis section contains descriptions of functions pertaining to the creation and use of analyticJacobians for hyperelliptic curves.

Suppose C is a curve of genus g defined over the complex numbers. The analyticJacobian of the curve is an abelian torus and is constructed as follows: We view thecomplex points on the curve, C(C), as a compact Riemann surface of genus g. It isknown that the dimension of the vector space of holomorphic differentials is equal to thegenus of the curve. So let ϕi, i = 1, 2, . . . , g be a basis for this vector space and setϕ = t(ϕ1, . . . , ϕg), a vector of holomorphic 1-forms. For a hyperelliptic curve there is anatural choice of holomorphic differentials, namely ϕi = xi−1dx/y. We can now define amapping Int : C → Cg by

P 7→∫ ∞

P

ϕ.

To remove the dependency of this mapping on the path of integration, we define Λ to bethe image of the map from the first homology group of C, H1(C,Z), to Cg which sendsa closed path, σ ∈ H1(C,Z), on the Riemann surface to

∫σ

ϕ. Then Λ turns out to be alattice in Cg and so we get the complex torus Cg/Λ. We then see that Int is a well-definedmapping from C into Cg/Λ. We extend this mapping additively to the divisors of degreezero on C. The Abel part of the Abel-Jacobi theorem states that two divisors map to thesame image under Int if and only if they are linearly equivalent. The Jacobi part of thetheorem asserts that the map is onto. So there is a bijection between the points of Cg/Λand the points of the (algebraic) Jacobian.

So far the analytic Jacobian Cg/Λ is just a torus, but it can be made into an abelianmanifold by choosing a polarization. Let A1, . . . , Ag, B1, . . . , Bg be a symplectic homologybasis. That is, the Ai and Bi are closed paths on the Riemann surface such that allintersection numbers are 0 except that Ai intersects Bi with intersection number 1 foreach i. Let ω1 and ω2 be the g × g-matrices with entries

ω1ij =∫

Bj

ϕi,


andω2ij =

∫

Aj

ϕi.

Then the columns of P = (ω1, ω2) form a Z-basis for the lattice Λ = PZ2g. The matrixP is called the (big) period matrix. The space of complex, symmetric g × g matrices withpositive definite imaginary part is called the Siegel upper-half space of degree g. Becausewe chose a symplectic basis for the homology it follows that τ = ω−1

2 ω1 is an element ofSiegel upper half-space. We will refer to τ as the small period matrix.

Set

J =(

0 1g

−1g 0

).

If we defineE(Px, Py) = txJy,

for any x, y ∈ R2g, then E is a Riemann form for the torus Cg/Λ and so the torus acquiresa polarization. The existence of a Riemann form on a torus is a necessary and sufficientcondition for the torus to be embeddable into projective space. The image is isomorphicto the (algebraic) Jacobian.

In order for the theory describing the map from the analytic Jacobian to the algebraicJacobian (see Mumford [Mum84]) to work we actually need a special symplectic basis linkedto a particular ordering of the roots of the hyperelliptic polynomial. For an example ofsuch a basis see Mumford [Mum84, Chap III.5]. The basis used can be obtained usingthe function HomologyBasis and the roots in the corresponding order are stored as theattribute A‘Roots (where A is an analytic Jacobian).

107.15.1 Creation and Access Functions

AnalyticJacobian(f)

Given f ∈ C[x] where C is a complex field (see Chapter 24), this function returns theanalytic Jacobian of the hyperelliptic curve defined by y2 = f(x). The polynomialmust have degree at least 3 and the complex field precision at least 20 and, for themoment, less than 2000.

HyperellipticPolynomial(A)

Returns the polynomial defining the hyperelliptic curve whose Jacobian is A.

SmallPeriodMatrix(A)

The small period matrix of the analytic Jacobian A. If A has dimension g orequivalently the hyperelliptic curve has genus g, then this is a symmetric g × gmatrix with positive definite imaginary part. If P = (ω1, ω2) is the full periodmatrix (see BigPeriodMatrix) then the small period matrix is defined by ω−1

2 ω1.


BigPeriodMatrix(A)

The full period matrix of the hyperelliptic curve of the Jacobian A. If A has di-mension g or equivalently the hyperelliptic curve has genus g, then this is a g × 2gmatrix. The analytic Jacobian as a torus equals Cg/Λ, where Λ is the Z-latticespanned by the columns of the period matrix. The period matrix is computed withrespect to the holomorphic differentials ϕi = xi−1dx/y and a symplectic basis forthe homology that can be retrieved using HomologyBasis.

HomologyBasis(A)

The symplectic homology basis used for the computation of the period matrix ofthe Jacobian A. First assume that HyperellipticPolynomial(A) has odd degree.The function HomologyBasis(A) returns three values which we label basepoints,loops and S. Then basepoints is a list of points in the complex plane. The re-turn valueloops is a list of 2g lists of indices into basepoints. So the list [i1,i2, i3, ...] corresponds to the loop consisting of joining the straight lines frombasepoints[in] to basepoints[in+1] for i = 1, 2, .... These closed loops form ahomology basis for the curve but probably not a symplectic basis. The third returnvalue, S, is a matrix giving the linear combinations of the loops that were used toform a symplectic homology basis and to compute the period matrix.

If HyperellipticPolynomial(A) has even degree then the returned homologybasis is not for the Riemann surface for this curve, but for the curve of odd degreeobtained by sending a = A‘InfiniteRoot to infinity through the linear fractionaltransformation given by x 7→ 1/(x− a). So one needs to apply the inverse transfor-mation to the returned basis in order to get the basis that was used to compute theperiod matrix.

Dimension(A)

Genus(A)

The dimension of the Jacobian A as a complex abelian variety. This is equal to thegenus of the curve C for which A is the Jacobian.

BaseField(A)

BaseRing(A)

CoefficientRing(A)

The base field of the Jacobian A.


107.15.2 Maps between Jacobians

ToAnalyticJacobian(x, y, A)

Let A be the analytic Jacobian of y2 = f(x). This function maps the point(x, y) on the curve to the analytic Jacobian. More precisely, let a = ∞ whenHyperellipticPolynomial has odd degree and a =A‘InfiniteRoot otherwise.Then it maps the divisor (x, y) − (a, 0) to the analytic Jacobian. As any pointon the algebraic Jacobian is simply a sum of such divisors, we can get its image bylinearity of the map. The function returns a g × 1 matrix. This should be thoughtof as an element of Cg/Λ where Λ is the Z-lattice generated by the columns of theBigPeriodMatrix.

FromAnalyticJacobian(z, A)

Let A be an analytic Jacobian of y2 = f(x), with small period matrix τ . Let z bea g × 1 complex matrix (thought of as an element of Cg/Λ where Λ is the Z-latticegenerated by the columns of the BigPeriodMatrix). This function returns a list ofg (the dimension of A), or fewer, pairs Pi = 〈xi, yi〉 satisfying y2 = f(x). This is anelement of the algebraic Jacobian when interpreted as the divisor

∑gi=1 Pi − g∞.

Example H107E32

We give an example of moving between the algebraic and analytic Jacobians. We take two pointson an algebraic Jacobian, map them to the analytic Jacobian, add them there and map the answerback to the algebraic Jacobian. We check that the answer corresponds to adding the points onthe algebraic Jacobian.


> f := -8*x^5 - 14*x^4 + 28*x^3 - 30*x^2 + 6*x;

> C := HyperellipticCurve(f);

> J := Jacobian(C);

> pts := ReducedBasis(RationalPoints(J:Bound:=500)); pts;

[ (x^2 + 1, -3*x + 5, 2), (x^2 - 4/9*x + 1/9, -55/27*x + 43/27, 2) ]

This Jacobian has rank 2 and these are two generators. We will use them as our two points.

> P1 := pts[1]; P2 := pts[2];

> C := ComplexField(50);

> K<x> := PolynomialRing(C);

> f2 := Evaluate(f,x);

> div1 := [r[1] : r in Roots(Evaluate(ElementToSequence(P1)[1],x))];

> div1 := [<d1,Evaluate(ElementToSequence(P1)[2],d1)> : d1 in div1];

> div2 := [r[1] : r in Roots(Evaluate(ElementToSequence(P2)[1],x))];


> A := AnalyticJacobian(f2);

We are working with 50 decimal places. The sequences div1 and div2 are the two points on thealgebraic Jacobian represented as pairs of 〈x, y〉 coordinates.

> pt1 := &+[ToAnalyticJacobian(d[1],d[2],A) : d in div1];


> pt2 := &+[ToAnalyticJacobian(d[1],d[2],A) : d in div2];

Now pt1 and pt2 are the images of the two points P1 and P2 on the analytic Jacobian (two 2× 1matrices).

> sum := FromAnalyticJacobian(pt1+pt2,A);

> sum;

[ <0.62500000000000000000000000000000000000000000000024 +

-1.4999999999999999999999999999999999999999999999992*I,

1.7343750000000000000000000000000000000000000000053 +

-11.718749999999999999999999999999999999999999999985*I>,

<0.62500000000000000000000000000000000000000000000036 +

1.4999999999999999999999999999999999999999999999992*I,

1.7343750000000000000000000000000000000000000000075 +

11.718749999999999999999999999999999999999999999986*I> ]

Now we have mapped sum back to the algebraic Jacobian where it is given as a sequence of two〈x, y〉 coordinates. We compare the polynomial having these two x-coordinates as roots, with thealgebraic sum of P1 and P2.

> clst := Coefficients((x-sum[1][1])*(x-sum[2][1]));

> xpol := P![BestApproximation(Re(c),1000) : c in clst];

> xpol;

x^2 - 5/4*x + 169/64

> P1+P2;

(x^2 - 5/4*x + 169/64, 125/16*x - 403/128, 2)

107.15.2.1 Isomorphisms, Isogenies and Endomorphism Rings of An-alytic Jacobians

In this section we discuss the functionality provided for finding isomorphisms and iso-genies between different analytic Jacobians and also for computing the endomorphism ringof an analytic Jacobian.

Suppose we have two abelian varieties A1 = Cg/Λ1 and A2 = Cg/Λ2 with a morphismφ : A1 7→ A2. This map lifts to a map Cg 7→ Cg, given by some complex g × g matrix, α.This is called the complex representation of φ. Suppose Λi is spanned by the columns ofthe g×2g matrix Pi. As φ(Λ1) ⊂ Λ2, we see that there must exist an integral 2g×2g matrixM such that αP1 = P2M . M is called the rational representation of φ. If A1 and A2 areisomorphic and P1 and P2 are Frobenius bases, that is, they provide a basis with respect

to which the polarization is given by the matrix J =(

0 1g

−1g 0

), then it follows that M

must be a symplectic matrix. That is, M must be such that MJ tM = J . The symplectic

matrices act on Siegel upper half-space. If M =(

a bc d

)is a symplectic matrix and τ an

element of Siegel upper half-space, then the action is given by τ 7→ (aτ + b)(cτ + d)−1.Note that if there is an isomorphism from A1 to A2 with rational representation M thenτ1 equals the result of letting tM (not M) act on τ2.


In the case of finding isomorphisms between abelian surfaces, the code makes useof a fundamental domain for 2-dimensional upper half-space (see [Got59]). This oftenworks well even with relatively low precision. The other functions all rely on the functionLinearRelation and work with greater reliability if a high precision is chosen. This alsomeans that it can happen that these functions miss finding a map. Even if a map is re-ported it might be an artifact of insufficient precision causing LinearRelation to identifya relation that disappears at higher precision. Of course, every effort was made to makethese functions work as well as possible and no cases are known where sufficient precisionfails to give correct results.

To2DUpperHalfSpaceFundamentalDomian(z)

Given a complex matrix in 2-dimensional Siegel upper half-space (that is a symmet-ric matrix with positive definite imaginary part), this function returns two matrices.The first is an element of the fundamental domain for 2-dimensional Siegel upperhalf-space described by Gottschling in [Got59] and the second is a symplectic matrixthat takes the input to the first return value. Note that if the input is equivalentto an element on the border of the fundamental domain the returned value mightdepend heavily on the least significant digits of the input.

AnalyticHomomorphisms(t1, t2)

Given two small period matrices t1 and t2, this function returns a basis for the Z-module of 2g× 2g integer matrices M such that there exists a complex g× g matrixα such that α(t1, 1) = (t2, 1)M .

IsIsomorphicSmallPeriodMatrices(t1,t2)

For two small period matrices t1 and t2, this function finds a 2g × 2g symplecticinteger matrix M such that there exists a complex g×g matrix α such that α(t1, 1) =(t2, 1)M . Such matrices define isomorphisms between the corresponding analyticJacobians. The first return value is true if such a matrix is found, false otherwise.The second return value is the matrix, if found. Zero matrix otherwise.

IsIsomorphicBigPeriodMatrices(P1, P2)

For two big period matrices P1 and P2, this function finds a 2g×2g symplectic integermatrix M such that there exists a complex g × g matrix α such that αP1 = P2M .Such matrices define isomorphisms between the corresponding analytic Jacobians.The first return value is true if such a matrix is found, false otherwise. The secondand third return values are M and α, if found.

IsIsomorphic(A1, A2)

For two analytic Jacobians A1 and A2 with big period matrices P1 and P2, thisfunction finds a 2g×2g symplectic integer matrix M such that there exists a complexg × g matrix α such that αP1 = P2M . Such matrices define isomorphisms betweenthe analytic Jacobians. The first return value is true if such a matrix is found, falseotherwise. The second and third return values are M and α, if found.


IsIsogenousPeriodMatrices(P1, P2)

For two period matrices (small or big) P1 and P2, this function finds a nonsingular2g× 2g integer matrix M such that there exists a complex g× g matrix α such thatα(P1, 1) = (P2, 1)M , in case of small period matrices, or αP1 = P2M for big periodmatrices. Such a matrix defines an isogeny between the corresponding analyticJacobians. The first return value is true if such a matrix is found, false otherwise.The second return value is M , if found. In the case of big period matrices α is thethird return value.

IsIsogenous(A1, A2)

For two analytic Jacobians A1 and A2 with big period matrices P1 and P2, thisfunction finds a nonsingular 2g × 2g integer matrix M such that there exists acomplex g × g matrix α such that αP1 = P2M . Such a matrix defines an isogenybetween the analytic Jacobians. The first return value is true if such a matrix isfound, false otherwise. The second and third return values are M and α, if found.

EndomorphismRing(P)

This function returns the endomorphism ring, as a matrix algebra, of the analyticJacobian associated to the given period matrix P . If a big period matrix, P , is giventhen it also returns a list of α-matrices such that αP = PM , for each generator, M ,of the matrix algebra.

EndomorphismRing(A)

This function returns the endomorphism ring, as a matrix algebra, of the givenanalytic Jacobian A. Suppose the analytic Jacobian has big period matrix P . Thesecond return value is a list of α-matrices such that αP = PM , for each generator,M , of the matrix algebra.

Example H107E33

We give an example of how Magma can be used to find rational isogenies between the Jacobiansof genus 2 curves. Let us consider the two curves

y2 = x5 − 4x4 + 8x2 − 4x,

andy2 = x5 + 4x4 + 10x3 + 12x2 + x.

These are curves 1 and 3 in the twenty second isogeny class of Smart [Sma97]. We compute theiranalytic Jacobians to 100 decimal places.

> K<x> := PolynomialRing(RationalField());

> C := ComplexField(100);

> KC<xc> := PolynomialRing(C);

> f1 := x^5 - 4*x^4 + 8*x^2 - 4*x;

> f1C := Evaluate(f1,xc);

> A1 := AnalyticJacobian(f1C);


> f2 := x^5 + 4*x^4 + 10*x^3 + 12*x^2 + x;

> f2C := Evaluate(f2,xc);

> A2 := AnalyticJacobian(f2C);

We now get a basis for the Z-module of isogenies from A1 to A2. Note that IsIsogenous returnstrue for these two Jacobians, but it does not return an isogeny defined over Q.

> Mlst := AnalyticHomomorphisms(SmallPeriodMatrix(A1),SmallPeriodMatrix(A2));

> Mlst;

[

[ 1 0 -1 0]

[ 0 1 0 0]

[ 1 1 1 0]

[ 1 1 -1 2],

[ 1 0 1 0]

[ 0 0 0 -1]

[-1 0 1 -1]

[ 1 2 1 -1],

[ 0 1 0 -1]

[ 1 0 0 0]

[ 1 1 0 1]

[ 1 1 2 -1],

[ 0 1 0 1]

[ 0 0 -1 0]

[ 0 -1 -1 1]

[ 2 1 -1 1]

]

>

For each of these four “M” matrices let us find the corresponding α matrices.

> P1 := BigPeriodMatrix(A1);

> P2 := BigPeriodMatrix(A2);

> alst := [Submatrix(P2*Matrix(C,M),1,1,2,2)

> *Submatrix(P1,1,1,2,2)^-1 : M in Mlst];

> alst[2][1,1];

9.49857267318279326916448048991143479789137754919824276557860348643797948105949

8481543257426864218501E-101 + -1.4142135623730950488016887242096980785696718753

76948073176679737990732478462107038850387534327641573*i

>

So at least alst[2] does not correspond to a rational isogeny. In general none of the four α-matrices might correspond to a rational isogeny. But it is possible that some Z-linear combinationof them is defined over the rationals and we want to know whether this actually happens. Wecan find out by recognizing the entries of the α-matrices as algebraic numbers. This can be doneusing the PowerRelation function.

> SetDefaultRealFieldPrecision(100);


> pol := PowerRelation(C!alst[4][1,1],8:Al:="LLL");

> Evaluate(pol,x);

x^4 + 2*x^2 - 1

It turns out that every entry of each of the alst matrices is in the number field defined by thepolynomial x8 + 12x6 + 34x4 + 52x2 + 1. We can use LinearRelation to write each entry as alinear combination of the elements of a power basis for this number field. For example:

> aroot := C!Roots(Evaluate(x^8 + 12*x^6 + 34*x^4 + 52*x^2 + 1,xc))[1][1];

> basis := [arootî : i in [0..7]];

> LinearRelation(Append(basis,alst[2][1,1]));

[ 0, 411, 0, 293, 0, 107, 0, 9, -40 ]

So we can write each α-matrix as an algebraic number in the number field defined by x8 +12x6 +34x4 + 52x2 + 1. It is then a simple matter to find a linear combination of the α-matrices that isdefined over Q. In this particular case we get lucky and alst[1] itself is already rational:

> alpha := alst[1];

> alpha;

[1.1429873912822749822157835483053409594519099948227986612151258432276326359067

38195675448021860172030E-100 + 1.23928539763340698646676489320756860362798512

5201250666217517621001351893530963357790883492962362769E-100*i

-0.99999999999999999999999999999999999999999999999999999999999999999999999999

99999999999999999999999999 + -1.186746029522145753827915120679934647863639129

872566393745293697438092777106745249196918175632802507E-100*i]

[-2.000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000 + 8.334710799700090834903499884806428065464872993741

227568734726305245439778438567887663105063271942125E-101*i

1.000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000 + -1.29064186778300376477121365149925086148800581946

5331943514008039451662739730964143625816137036994307E-100*i]

So the two Jacobians are Q-isogenous. We can use alpha to map points from the one Jacobianto the other. We check that it maps rational points to rational points.

> C1 := HyperellipticCurve(f1);

> J1 := Jacobian(C1);

> pts1 := RationalPoints(J1:Bound:=500);

> pts1;

@ (1, 0, 0), (x^2 - 2*x + 1, 1/2*x + 1/2, 2), (x^2 - 2*x + 1, -1/2*x - 1/2, 2),

(x, 0, 1), (x - 1, 1, 1), (x - 1, -1, 1), (x^2 - 2, 0, 2), (x^2 + 2, 4*x, 2),

(x^2 + 2, -4*x, 2), (x^2 - x, x, 2), (x^2 - x, -x, 2), (x^2 - 4*x - 2, 4*x, 2),

(x^2 - 4*x - 2, -4*x, 2), (x^2 - 4*x + 2, 0, 2), (x^2 - 9/4*x - 4, 3/8*x - 2,

2), (x^2 - 9/4*x - 4, -3/8*x + 2, 2), (x^2 - 52/9*x + 50/9, 152/27*x - 160/27,

2), (x^2 - 52/9*x + 50/9, -152/27*x + 160/27, 2), (x^2 + 16/25*x - 18/25,

152/125*x - 96/125, 2), (x^2 + 16/25*x - 18/25, -152/125*x + 96/125, 2) @

> P1 := pts1[8]; P1;

(x^2 + 2, 4*x, 2)

> div1 := [r[1] : r in Roots(Evaluate(ElementToSequence(P1)[1],xc))];


> pt1 := &+[ToAnalyticJacobian(d[1],d[2],A1) : d in div1];


> P2 := FromAnalyticJacobian(alpha*pt1,A2);

> clst := Coefficients((xc-P2[1][1])*(xc-P2[2][1]));

> xpol := K![BestApproximation(Re(c),10^50) : c in clst];

> xpol;

x^2 + x + 1

> C2 := HyperellipticCurve(f2);

> J2 := Jacobian(C2);

> pts2 := RationalPoints(J2:Bound:=500);

> pts2;

@ (1, 0, 0), (x^2 + 2*x + 1, x - 1, 2), (x^2 + 2*x + 1, -x + 1, 2), (x + 1, 2,

1), (x + 1, -2, 1), (x, 0, 1), (x^2 + x, 2*x, 2), (x^2 + x, -2*x, 2), (x^2 + x +

1, 2*x - 1, 2), (x^2 + x + 1, -2*x + 1, 2), (x^2 - 23*x - 16, 122*x + 84, 2),

(x^2 - 23*x - 16, -122*x - 84, 2), (x^2 + 23/4*x + 9, 59/8*x + 57/2, 2), (x^2 +

23/4*x + 9, -59/8*x - 57/2, 2), (x^2 - 106/9*x + 1/9, 2599/54*x - 19/54, 2),

(x^2 - 106/9*x + 1/9, -2599/54*x + 19/54, 2), (x^2 - 9/16*x - 1/16, 269/64*x +

21/64, 2), (x^2 - 9/16*x - 1/16, -269/64*x - 21/64, 2) @

107.15.3 From Period Matrix to Curve

RosenhainInvariants(t)

Given a small period matrix t corresponding to an analytic Jacobian A of genus g,this function returns a set S of 2g − 1 complex numbers such that the hyperellipticcurve y2 = x(x − 1)

∏s∈S(x − s) has Jacobian isomorphic to A. The name of the

function comes from the fact that a hyperelliptic curve in the form y2 = x(x−1)(x−λ1)...(x− λ2g−1) is said to be in Rosenhain normal form.

Example H107E34

We give an example of how Magma can be used to find the equation of a genus 2 curve whose

Jacobian has Complex Multiplication by a given field. We use the field Q(√−2 +

√2).

> SetSeed(1);

> Q := RationalField();

> P<x> := PolynomialRing(Q);

> R<s> := NumberField(x^2-2);

> PP<x> := PolynomialRing(R);

> RF := NumberField(x^2-(-2+s));

> CMF<t> := AbsoluteField(RF);

> O := MaximalOrder(CMF);

Now, for a CM type Φ, and O the ring of integers, C2/Φ(O) is a torus with Complex Multiplication

by the maximal order of our field Q(√−2 +

√2). In order for this to be an abelian variety we

have to find a principal polarization. This can be done using Algorithm 1 in [Wam99]. In thiscase it turns out that a principal polarization is essentially given by the reciprocal of a generatorof the different:

> D := Different(O);


> bool, gen := IsPrincipal(D);

> xi := 1/gen;

> auts := Automorphisms(CMF : Abelian := true);

> cc := auts[3];

> cc(cc(t)) eq t;

true

> cc(xi^2) eq xi^2;

true

So cc is complex multiplication and xi squared is in the real subfield. By Theorem 3 of [Wam99]we see that this gives a principal polarization. We now find a Frobenius basis for our lattice withrespect to the non-degenerate Riemann form given by xi.

> Z := IntegerRing();

> E := Matrix(Z,4,4,[Trace(xi*cc(a)*b) : b in Basis(O), a in Basis(O)]);

> D, C := FrobeniusFormAlternating(E); D;

[ 0 0 1 0]

[ 0 0 0 1]

[-1 0 0 0]

[ 0 -1 0 0]

> newb := ElementToSequence(Matrix(O,C)*Matrix(O,4,1,Basis(O)));

> SetKantPrecision(O,100);

> Abs(Re(Conjugate(xi,2))) lt 10^-10 and Im(Conjugate(xi,2)) gt 0;

true

> Abs(Re(Conjugate(xi,4))) lt 10^-10 and Im(Conjugate(xi,4)) gt 0;

true

The CM type Φ is given by the second and fourth complex embeddings. We can finally writedown a big period matrix and find the element in the Siegel upper half-space corresponding toour CM Jacobian:

> C := ComplexField(100);

> BigPM := Matrix(C,2,4,[Conjugate(b,2) : b in newb] cat

> [Conjugate(b,4) : b in newb]);

> tau := Submatrix(BigPM,1,3,2,2)^-1*Submatrix(BigPM,1,1,2,2);

We can use EndomorphismRing to check that the analytic Jacobian corresponding to tau doeshave CM by the correct field:

> MA := EndomorphismRing(tau); Dimension(MA);

4

> MAGens := SetToSequence(Generators(MA)); MAGens;

[

[-1 0 0 0]

[ 0 -1 0 0]

[ 0 0 -1 0]

[ 0 0 0 -1],

[ 0 0 -17 -7]

[ 0 0 -7 -3]

[ 5 -12 0 0]

[-12 29 0 0]


]

> MP := [MinimalPolynomial(g): g in MAGens];

> IsIsomorphic(NumberField(repf: f in MP | Degree(f) gt 1), CMF);

true

Now let us find a curve with this Jacobian.

> S := RosenhainInvariants(tau);

> P<x> := PolynomialRing(C);

> f := x*(x-1)*&*x-a : a in S;

> IC := IgusaClebschInvariants(f);

> ICp := [BestApproximation(Re(r),10^50) : r in

> [IC[1]/IC[1], IC[2]/IC[1]^2, IC[3]/IC[1]^3, IC[4]/IC[1]^5]];

> ICp;

[ 1, 5/324, 31/5832, 1/1836660096 ]

> C1 := HyperellipticCurveFromIgusaClebsch(ICp);

> C2 := ReducedModel(C1 : Al := "Wamelen");

> C2;

Hyperelliptic Curve defined by y^2 = -x^5 - 3*x^4 + 2*x^3 + 6*x^2 - 3*x - 1

over Rational Field

Let’s check that this curve’s analytic Jacobian is isomorphic to the one corresponding to tau.

> P<x> := PolynomialRing(C);

> f := -x^5 - 3*x^4 + 2*x^3 + 6*x^2 - 3*x - 1;

> A := AnalyticJacobian(f);

> IsIsomorphicSmallPeriodMatrices(tau,SmallPeriodMatrix(A));

true

[ 1 -2 0 0]

[ 0 0 2 1]

[ 1 -2 5 2]

[ 2 -5 4 2]

107.15.4 Voronoi CellsThis section describes two functions that are concerned with the computation of Voronoicells.

Delaunay(sites)

This function computes the Delaunay triangulation for the sites given by sites. Theargument sites should be a sequence of pairs (of type Tup) of real numbers. Thereal numbers should all belong to the same real field. For n sites, a sequence of nsequences is returned. The ith sequence contains the list of indices of the sites towhich site i should be joined to form the triangulation.


Voronoi(sites)

This function computes the Voronoi cells for the sites given by sites. A Voronoi cellof a site consists of all those points in the plane closer to that site than to any other.The argument sites should be a sequence of pairs (of type Tup) of real numbers.The real numbers can be either fixed precision or free reals, but they should all bein the same real field.

Three sequences, siteedges, dualsites and cells are returned. The sequencesiteedges is what the intrinsic Delaunay would have returned (so it defines theDelaunay triangulation). The sequence dualsites is a sequence of triples 〈x, y, m〉,interpreted as follows: If m is zero the triple represents the point x, y. If m is non-zero the triple represents a point “at infinity” in the direction of the vector x, y. Forn sites, cells is a sequence of n sequences. The ith sequence is a list [i1, i2, i3, ..., im]such that the cell around site i is formed by connecting dualsites[i1] to dualsites[i2],... If a cell is infinite the first and last indices in the sequence point to infinitepoints. That is, the two infinite sides are given by the lines (x0, y0) + t(x1, y1), fort ≥ 0 where (x0, y0) equals dualsites[i2][1], dualsites[i2][2] and (x1, y1) equals dual-sites[i1][1], dualsites[i1][2] or (x0, y0) equals dualsites[im-1][1], dualsites[im-1][2] and(x1, y1) equals dualsites[im][1], dualsites[im][2].

107.16 Bibliography

[Bos00] Wieb Bosma, editor. ANTS IV, volume 1838 of LNCS. Springer-Verlag, 2000.[Bru02] N. R. Bruin. Chabauty methods and covering techniques applied to generalized

Fermat equations. PhD thesis, University of Leiden, Amsterdam, 2002. Dissertation,University of Leiden, Leiden, 1999.

[CQ02] Gabriel Cardona and Jordi Quer. Field of moduli and field of definition forcurves of genus 2, 2002. URL:http://au.arxiv.org/abs/math.NT/0207015.

[FS97] E.V. Flynn and N.P. Smart. Canonical heights on the Jacobians of curves ofgenus 2 and the infinite descent. Acta Arith., 79:333 – 352, 1997.

[GH00] P. Gaudry and R. Harley. Counting Points on Hyperelliptic Curves over FiniteFields. In Bosma [Bos00], pages 313–332.

[Got59] E. Gottschling. Explizite Bestimmung der Randflachen des Fundamentalbere-iches der Modulgruppe zweiten Grades. Math. Annalen, 138:103–124, 1959.

[Hub06] Hendrik Hubrechts. Point counting in families of hyperelliptic curves. PreprintURL:http://arxiv.org/abs/math.NT/0601438, 2006.

[Ked01] Kiran S. Kedlaya. Counting Points on Hyperelliptic Curves using Monsky-Washnitzer Cohomology. J. Ramanujan Math. Soc., 16:323 – 338, 2001.

[LL] R. Lercier and D. Lubicz. A Quasi-Quadratic Time Algorithm for HyperellipticCurve Point Counting. to appear.

[Mes91] J.-F. Mestre. Construction de courbes de genre 2 a partir de leurs modules. InT. Mora and C. Traverso, editors, Effective methods in algebraic geometry, volume 94


of Progr. Math., pages 313–334. Birkhauser, 1991. Proc. Congress in Livorno, Italy,April 17–21, 1990.

[Mum84] David Mumford. Tata Lectures on Theta II, volume 43 of Progress inMathematics. Birkhauser, 1984.

[PS99] Bjorn Poonen and Michael Stoll. The Cassels-Tate pairing on polarized abelianvarieties. Ann. of Math. (2), 150(3):1109–1149, 1999.

[Sma97] N. P. Smart. S-unit equations, binary forms and curves of genus 2. Proc.London Math. Soc. (3), 75(2):271–307, 1997.

[Sto99] M. Stoll. On the height constant for curves of genus two. Acta Arith., 90(2):183– 201, 1999.

[Sto01] Michael Stoll. Implementing 2-descent for Jacobians of hyperelliptic curves.Acta Arith., 98(3):245–277, 2001.

[SV01] Tony Shaska and Volklein. Elliptic subfields and automorphisms of genus 2function fields. Springer, 2001. URL:http://au.arxiv.org/abs/math.AG/0107142.

[Ver02] F. Vercauteren. Computing zeta functions of hyperelliptic curves over finitefields of characteristic 2. In Advances in cryptology - CRYPTO 2002, volume 2442 ofLecture Notes in Comput. Sci., pages 369–384. Springer, Berlin, 2002.

[Wam99] P. Van Wamelen. Examples of Genus Two CM Curves Defined over theRationals. Mathematics of Computation, 68:307–320, 1999.

[Wam01] P. Van Wamelen. Computing with the Jacobian of a Genus 2 Curve.URL:http://www.math.lsu.edu/˜wamelen/genus2.html, 2001.

[Wet97] J. L. Wetherell. Bounding the number of rational points on certain curves ofhigh rank. PhD thesis, U.C. Berkeley, 1997.

108 L-FUNCTIONS108.1 Overview . . . . . . . . . 3493

108.2 Built-in L-series . . . . . . 3494

RiemannZeta() 3494LSeries(K) 3495LSeries(E) 3495LSeries(E,K) 3496LSeries(Chi) 3497LSeries(f) 3497

108.3 Computing L-values . . . . 3499

Evaluate(L,s0) 3499LStar(L,s0) 3500LTaylor(L,s0,n) 3500

108.4 Arithmetic with L-series . . 3501

* 3501/ 3502TensorProduct(L1, L2, ExcFactors) 3502

108.5 General L-series . . . . . . 3503

108.5.1 Terminology . . . . . . . . . 3503

108.5.2 Constructing a General L-Series . 3504

LSeries(weight, gamma, conductor,cffun) 3504

CheckFunctionalEquation(L) 3506

108.5.3 Setting the Coefficients . . . . . 3508

LSetCoefficients(L,cffun) 3508

108.5.4 Specifying the Coefficients Later 3508

108.5.5 Generating the Coefficients fromLocal Factors . . . . . . . . . 3510

108.6 Accessing the Invariants . . 3510

LCfRequired(L) 3510LGetCoefficients(L,N) 3510LSeriesData(L) 3510

108.7 Precision . . . . . . . . . 3512

LSetPrecision(L,precision) 3512

108.7.1 L-series with Unusual CoefficientGrowth . . . . . . . . . . . 3512

108.7.2 Computing L(s) when Im(s) isLarge (ImS Parameter) . . . . 3513

108.7.3 Implementation of L-series Com-putations (Asymptotics Param-eter) . . . . . . . . . . . . . 3513

108.8 Verbose Printing . . . . . 3513

108.9 Advanced Examples . . . . 3514

108.9.1 Self-made L-series of an EllipticCurve . . . . . . . . . . . . 3514

108.9.2 Self-made Dedekind Zeta Function3515

108.9.3 L-series of a Genus 2 HyperellipticCurve . . . . . . . . . . . . 3515

108.9.4 Experimental Mathematics forSmall Conductor . . . . . . . 3517

108.9.5 Tensor Product of L-series Comingfrom l-adic Representations . . . 3518

108.9.6 Non-abelian Twist of an EllipticCurve . . . . . . . . . . . . 3519

108.10 Bibliography . . . . . . . 3520

Chapter 108

L-FUNCTIONS

108.1 Overview

A large variety of ζ-functions and L-functions occur in number theory and algebraic ge-ometry. Some well-known ones include the Riemann ζ-function, the Dedekind ζ-functionof a number field, Dirichlet series associated to characters, and L-series of curves (e.g.,elliptic curves) over the rationals. Magma provides functionality for constructing suchL-functions and computing their values in the complex plane. A typical calculation mightgo as follows:

> L:=LSeries(EllipticCurve([0,-1,1,0,0]));> Evaluate(L,2);0.546048036215013518334126660433

The first line defines an L-series L(E, s) of the elliptic curve

E : y2 + xy = x3 − x2

while the second line computes its value at s = 2. An impatient reader may wish simplyto type LSeries; at the prompt and look at the various LSeries signatures and mimicthe code above, thus getting access to much of the functionality.

Topics covered in this chapter include:

• The built-in L-series which include the Riemann ζ-function, the Dedekind ζ-functionof a number field, Dirichlet series associated to characters, modular forms, and L-seriesof elliptic curves;

• The calculation of values, derivatives and Taylor expansions of L-series in a complexpoint s0 to desired accuracy;

• A technical description of the L-series object in Magma, together with a descriptionof how to construct user-defined L-series with any number of gamma factors, providedthat the L-series satisfies a functional equation of the standard type;

• Operations such as division, multiplication and the tensor product of two L-series.

The reader is referred to Manin-Panchishkin [Sha95] Chapter 4, Serre [Ser65] and articlesin [JKS94] for a background on L-functions. The algorithms mostly follow Dokchitser[Dok04] and the Pari implementation ComputeL [Dok02]. See also Lavrik [Lav67], Tollis[Tol97] and the exposition in Cohen [Coh00], 10.3.


108.2 Built-in L-series

An L-series or an L-function is an infinite sum L(s) =∑∞

n=1 an/ns in the complex variables with complex coefficients an. Such functions arise in many places in mathematics andthey are usually naturally associated with some kind of mathematical object, for instancea character, a number field, a curve, a modular form or a cohomology group of an algebraicvariety. The coefficients an are certain invariants associated with that object. For example,in the case of a character χ : (Z/mZ)∗ → C∗ they are simply its values an = χ(n) whengcd(n,m) = 1 and 0 otherwise.

Magma is able to associate an L-series to various types of object. The intrinsic whichprovides access to such pre-defined L-series (apart from the Riemann zeta function that isnot quite associated to anything) is

LSeries(object : optional parameters)

Every such function returns a variable of type LSer. A range of functions may nowbe applied to this L-series object as described in the following sections, and these areindependent of the object to which the L-series was originally associated. In fact, anobject of type LSer only “remembers” its origin for printing purposes.

RiemannZeta()


Returns the Riemann zeta function ζ(s).The number of digits of precision to which the values ζ(s) are to be computed

may be specified using the Precision parameter. If it is omitted, the precision ofthe default real field will be used.

Example H108E1

Check that ζ(2) agrees numerically with π2/6.

> L:=RiemannZeta(:Precision:=40);

> Evaluate(L,2);

1.644934066848226436472415166646025189219

> Pi(RealField(40))^2/6;

1.644934066848226436472415166646025189219

Ch. 108 L-FUNCTIONS 3495

LSeries(K)

ClassNumberFormula BoolElt Default : false


Create the Dedekind zeta function ζ(K, s) of a number field K. The series is definedby

∑I NormK/Q(I)−s, where the sum is taken over the non-zero ideals I of the

maximal order of K. For K = Q it coincides with the Riemann zeta function.The Dedekind zeta function has a simple pole at s = 1 whose residue must be

known in order to compute the L-values. The class number formula gives an ex-pression for this residue in terms of the number of real/complex embeddings of K,the regulator, the class number and the number of roots of unity in K. If the op-tional parameter ClassNumberFormula is set to true, then these quantities are com-puted on initialization (using Magma’s functions Signature(K), Regulator(K),#ClassGroup(MaximalOrder(K)) and #TorsionSubgroup(UnitGroup(K))) and itmight take some time if the discriminant of K is large. If ClassNumberFormula isfalse (default) then the residue is computed numerically from the functional equa-tion. This is generally faster, unless the discriminant of K is small and the precisionis set to be very high.

The number of digits of precision to which the values ζ(K, s) are to be computedmay be specified using the Precision parameter. If it is omitted the precision istaken to be that of the default real field.

Example H108E2

This code computes the value of ζ(Q(i), s) at s = 2.

> P<x>:=PolynomialRing(Integers());

> K:=NumberField(x^2+1);

> L:=LSeries(K);

> Evaluate(L,2);

1.50670300992298503088656504818

This particular example could have been expressed somewhat more succinctly by replacing thefirst two lines by either K:=CyclotomicField(4) or K:=QuadraticField(-1).

LSeries(E)


Create the L-series L(E, s) of an elliptic curve E defined over the field of rationalnumbers.

The number of digits of precision to which the values L(E, s) are to be computedmay be specified using the Precision parameter. If it is omitted the precision istaken to be that of the default real field.

Note that the computation time for evaluating an L-series grows almost lin-early with the size of the conductor, so an evaluation might take an unreason-able amount of time if the conductor of E is much larger than, say, 107 or so. If


only the leading term at s = 1 is required, it is faster to use AnalyticRank orConjecturalRegulator.

Example H108E3

Consider the curve E : y2 + y = x3 + x2 of conductor 43. It has Mordell-Weil rank equal to 1, sowe expect L(E, 1) = 0 and L′(E, 1) 6= 0 by the Birch-Swinnerton-Dyer conjecture.


> Conductor(E);

43

> L:=LSeries(E);

> Evaluate(L,1);

0.000000000000000000000000000000

> Evaluate(L,1: Derivative:=1);

0.343523974618478230618071163922

LSeries(E,K)


Given an elliptic curve E defined over the rationals and a number field K, createthe L-series L(E/K, s) associated with E/K. Technically, this is the tensor productof two l-adic representations, the one associated to E/Q and the one associatedto K/Q. Note that the conductor of such a representation usually increases veryrapidly with the discriminant of K and, consequently, the computation time alsoincreases rapidly when evaluating the L-series.

The user should note that for general E and K it is only conjectured thatL(E/K, s) has a meromorphic continuation to C and also possesses a functionalequation. This conjecture is implicitly used in the computations.

The number of digits of precision to which the values L(E/K, s) are to be com-puted may be specified using the Precision parameter. If it is omitted the precisionis taken to be that of the default real field.

Example H108E4

We take the curve E : y2 = x3 + x over the rationals and apply base change to obtain a curveover Q(

√5). The resulting L-series L(E, K, s) is in fact the product of L(E/Q, s) and L(F/Q, s)

where F is E twisted by 5.


> F:=QuadraticTwist(E,5);

> L:=LSeries(E,QuadraticField(5));

> Evaluate(L,1);

1.53733828470360522458966069195

> Evaluate(LSeries(E),1)*Evaluate(LSeries(F),1);

1.53733828470360522458966069195


LSeries(Chi)


Given a primitive dirichlet character χ : (Z/mZ)∗ → C∗, create the associatedDirichlet L-series L(χ, s) =

∑∞n=1 χ(n)/ns. The character χ must be defined so

that its values fall in either the ring of integers, the rational field or a cyclotomicfield.

The number of digits of precision to which the values L(χ, s) are to be computedmay be specified using the Precision parameter. If it is omitted the precision istaken to be that of the default real field.

For information on Dirichlet characters, see 19.8.

Example H108E5

We define a primitive character χ : (Z/37Z)∗ → C∗ and construct the associated Dirichlet L-function.

> G<Chi>:=DirichletGroup(37,CyclotomicField(36));

> L:=LSeries(Chi);

> Evaluate(L,1); // depends on the chosen generator of G

1.65325576836885655776002342451 - 0.551607898922910805875537715934*$.1

LSeries(f)

Embedding Map/UserProgram Default :


Given a modular form f , construct the L-series L(f, s) =∑∞

n=1 an/ns, where fhas the q-expansion

∑∞n=0 anqn. It is assumed that L(f, s) satisfies a functional

equation of the standard kind (see 108.5.1 for the precise form of the functionalequation).

The optional parameter embedding specifies a map which embeds the coefficientsof f into the complex field. By default this is the identity map, so that the coefficientsof f must be coercible into C. Otherwise, the value of the parameter must either bean object of type Map or a user-defined function e(x) each having domain the basering of f and codomain the complex field (or values than can be coerced into thecomplex field).

The number of digits of precision to which the values L(f, s) are to be computedmay be specified using the Precision parameter. If it is omitted the precision istaken to be that of the default real field.


Example H108E6

We define a newform of weight 2 and conductor 16. It is not defined over the integers but ratherover B = Z[i],

> f:=Newforms("G1N16k2A")[1]; f;

q + (-a - 1)*q^2 + (a - 1)*q^3 + 2*a*q^4 + (-a - 1)*q^5 + 2*q^6 -

2*a*q^7 + O(q^8)

> B:=BaseRing(f); B;

Equation Order with defining polynomial x^2 + 1 over Z

The two distinct embeddings of B into the complex numbers give rise to two modular forms,which can be accessed using the ComplexEmbeddings function.

> f1, f2:=Explode(ComplexEmbeddings(f)[1]);

> Coefficient(f,2), Coefficient(f1,2), Coefficient(f2,2);

-a - 1

-1.00000000000000000000000000000 + 1.00000000000000000000000000000*$.1

-1.00000000000000000000000000000 - 1.00000000000000000000000000000*$.1

Thus, f1 and f2 have genuine complex coefficients and we can construct the associated L-seriesand compute their L-values, for instance at s = 1.

> L1:=LSeries(f1);

> L2:=LSeries(f2);

> CheckFunctionalEquation(L1);

-2.36658271566303541623518569585E-30

> CheckFunctionalEquation(L2);

-2.36658271566303541623518569585E-30

> v1:=Evaluate(L1,1); v2:=Evaluate(L2,1); v1,v2;

0.359306437003505684066327207778 + 0.0714704939991172686588458066910*$.1

0.359306437003505684066327207778 - 0.0714704939991172686588458066910*$.1

If instead we invoke LSeries(f), Magma will note that f is defined over a number field andcomplain that the coefficients of f are not well-defined complex numbers.

> L:=LSeries(f);

For f over a number field, you have to specify a complex embedding

Instead of using ComplexEmbeddings, one can instead explicitly specify an embedding of thecoefficients of B into the complex numbers using the parameter Embedding with the functionLSeries The following statements define the same L-function as L2 above.

> C:=ComplexField();

> L2A:=LSeries(f: Embedding:=hom C | i > );

> L2B:=LSeries(f: Embedding:=func< x | Conjugates(x)[1] > );

> L2C:=LSeries(f1: Embedding:=func< x | ComplexConjugate(x) > );

Finally, we illustrate the very important fact that Magma expects, but does not check that theL-function associated to a modular form satisfies a functional equation.

> L:=LSeries(f1+f2); // or L:=LSeries(f: Embedding:=func<x|Trace(B!x)>);

Although Magma is happy with this definition, it is in fact illegal. The modular form f has acharacter whose values lie in the field of the 4-th roots of unity.

> Order(DirichletCharacter(f));


4

The two embeddings f1 and f2 of f have different (complex conjugate) characters and f1 + f2

does not satisfy a functional equation of the standard kind. Magma will suspect this when it triesto determine the sign in the functional equation and thereby print a warning:

> Evaluate(L,1);

|Sign| is far from 1, wrong functional equation?

0.736718188651826073550560964422

> CheckFunctionalEquation(L);

0.00814338037134482026061721221244

The function CheckFunctionalEquation should return 0 (to current precision), so the functionalequation is not satisfied, and the result of evaluating L will be a random number. So it is the user’sresponsibility to ensure that the modular form does satisfy a functional equation as described in108.5.1. Here are some examples of modular forms that do.

> CheckFunctionalEquation(LSeries(f1^2*f2));

1.57772181044202361082345713057E-30

> f3:=ModularForm(EllipticCurve([0,-1,1,0,0]));

> CheckFunctionalEquation(LSeries(f3));

0.000000000000000000000000000000

> M:=Newforms("37k2");

> f4:=M[1,1]; f5:=M[2,1]; f6:=M[3,1];

> CheckFunctionalEquation(LSeries((f5+2*f6)*f4));

5.91645678915758854058796423962E-31

108.3 Computing L-valuesOnce an L-series L(s) has been constructed using either a standard zeta- or L-function(108.2), a user defined L-function (108.5.2) or constructed from other L-functions (108.4),Magma can compute values L(s0) for complex s0, values for the derivatives L(k)(s0) andTaylor expansions.

Evaluate(L,s0)

Derivative RngIntElt Default : 0Leading BoolElt Default : false

Compute L(s0) or the value of the derivative L(D)(s0) for D > 0 where L is anL-series and s0 is a complex number. If D > 0 and it is known that all the lowerderivatives vanish,

L(s0) = L′(s0) = ... = L(D−1)(s0) = 0 ,

the computation time can be substantially reduced by setting Leading:=true. Thisis useful if it is desired to determine experimentally the order of vanishing of L(s)at s0 by successively computing the first few derivatives.


LStar(L,s0)

Derivative RngIntElt Default : 0Compute the value L∗(s0) or the derivative L∗(D)(s0) for D > 0, where s0 is acomplex number. Here L∗(s) = γ(s)L(s) is the modified L-function that satisfiesthe functional equation (cf. 108.5.1)

L∗(s) = sign · L∗(weight− s)

(cf. 108.5.1).

LTaylor(L,s0,n)

ZeroBelow RngIntElt Default : 0Compute the first n + 1 terms of the Taylor expansion of the L-function about thepoint s = s0, where s0 is a complex number:

L(s0) + L′(s0)x + L′′(s0)x2/2! + . . . + L(n)(s0)xn/n! + O(xn+1) .

If the first few terms L(s0), ..., L(k)(s0) of this expansion are known to be zero, thecomputation time can be reduced by setting ZeroBelow:=k + 1.

Example H108E7

We define an elliptic curve E of conductor 5077 and compute derivatives at s = 1 until a non-zerovalue is reached:

> E:=EllipticCurve([0,0,1,-7,6]);

> L:=LSeries(E: Precision:=15);

> Evaluate(L,1);

0.000000000000000

> Evaluate(L,1: Derivative:=1, Leading:=true);

-1.69522909186553E-17


6.27623031179552E-17


10.3910994007158

This suggests that L(E, s) has a zero of order 3 at s = 1. In fact, E is the rational elliptic curveof smallest conductor with Mordell-Weil rank 3:

> Rank(E);

3

Consequently, a zero of order 3 is predicted by the Birch–Swinnerton-Dyer conjecture. We canalso compute a few terms of the Taylor expansion about s = 1, with or without specifying thatthe first three terms vanish.

> time(LTaylor(L,1,5: ZeroBelow:=3));

1.73184990011930*$.1^3 - 3.20590558844390*$.1^4 + 2.93970849657696*$.1^5


Time: 11.070

> time(LTaylor(L,1,5));

-1.69522909186553E-17*$.1 + 3.13811515589776E-17*$.1^2 +

1.73184990011930*$.1^3 - 3.20590558844390*$.1^4 + 2.93970849657696*$.1^5

Time: 20.320

And this is the leading derivative, the same as Evaluate(L,1:D:=3)

> c:=Coefficient($1,3)*Factorial(3);c;

10.3910994007158

Finally, we compute the 3rd derivative of the modified L-function L∗(s) = γ(s)L(s) at s = 1. Foran elliptic curve over the rationals, γ(s) = (N/π2)s/2Γ(s/2)Γ((s+1)/2), where N is the conductor.

So, by the chain rule, L∗′′′(1) = γ(1)L′′′(1) =√

N/πL′′′(1).

> LStar(L,1: Derivative:=3);

417.724689268266

> c*Sqrt(Conductor(E)/Pi(RealField(15)));

417.724689268267

108.4 Arithmetic with L-series

With the exception of some modular forms, all the built-in L-series have weakly multi-plicative coefficients, so that L(s) =

∑an/ns with amn = aman for m, n coprime. For

two such L-series, Magma allows the user to construct their product and, provided thatit makes sense, their quotient.

L1 * L2

Poles SeqEnum Default : []

Residues SeqEnum Default : []


Let L1(s) and L2(s) be two L-series of the same weight whose coefficients are weaklymultiplicative, that is, they satisfy amn = aman for m,n coprime. This functionconstructs their product L(s) = L1(s)L2(s).

If one of the L-series has zeros that cancel the poles of the other L-series, theuser should specify the list of poles for L∗1(s)L

∗2(s) using the Poles parameter and

the corresponding residues using the Residues parameter. See 108.5.1 for the ter-minology and 108.5.2 for the format of the poles and residues parameters.

The number of digits of precision to which the values L(s) are to be computedmay be specified using the Precision parameter. If it is omitted, the precision istaken to be that of the default real field.


L1 / L2

Poles SeqEnum Default : []

Residues SeqEnum Default : []


Let L1(s) and L2(s) be two L-series whose coefficients amn are weakly multiplicative,that is, they satisfy amn = aman for m,n coprime. This function constructs theirquotient L(s) = L1(s)/L2(s).

This function assumes (but does not check!) that this quotient exists and is agenuine L-function with finitely many poles.

If L2(s) happens to have zeros that give poles in the quotient, the user mustspecify the list of poles of L∗1(s)/L∗2(s) using the Poles parameter and the corre-sponding residues using the Residues parameter. See 108.5.1 for the terminologyand 108.5.2 for the format of Poles and Residues.


TensorProduct(L1, L2, ExcFactors)


Sign FldComElt Default :

Let L1 and L2 be L-functions such that L1(s) = L(V1, s) and L2(s) = L(V2, s) areassociated to systems of l-adic representations V1 and V2 (a la Serre). This functioncomputes their tensor product L(s) = L(V1⊗V2, s). This can be used, for example,to twist L-function by characters or higher-dimensional Artin representations (seeExamples 108.9.5, 108.9.6).

Note that, in particular, both L1(s) and L2(s) must have integer conductor,weakly multiplicative coefficients and Hodge numbers in the set 0, 1. The argu-ment ExcFactors is a list of tuples of the form 〈p, v〉 or 〈p, v, Fp(x)〉 that give, foreach of the primes p where V1 and V2 both have bad reduction, the valuation v ofthe conductor of V1 ⊗ V2 at p and the inverse local factor at p. If the data is notprovided for such a prime p, Magma will attempt to compute the local factors byassuming that the inertia invariants behave well at p,

(V1 ⊗ V2)Ip = VIp

1 ⊗ VIp

2 .

It will also compute the conductor exponents by predicting the tame and wild de-grees from the degrees of the local factors, but this does not work if both V1 and V2

are wildly ramified at p.The sign in the functional equation of L(V1⊗V2, s) cannot be determined from the

signs of the factors, so it will be calculated numerically from the functional equation.If the sign is known, the user may specify it by means of the Sign parameter.



See Examples H108E10 and 108.9.5, 108.9.6.

108.5 General L-series

In addition to the built-in L-series for the standard objects, Magma provides machinerythat allows the user to define L-series for arbitrary objects, provided that they admit ameromorphic continuation to the whole complex plane and satisfy a functional equationof the standard kind. To describe how this may be done, we need to introduce someterminology.

108.5.1 TerminologyRecall that an L-series is a sum

L(s) =∞∑

n=1

an

ns,

where the coefficients an are complex numbers, known as the Dirichlet coefficients of theL-series. For example, the Dirichlet coefficients of the classical Riemann zeta functionare an = 1 for all n. We assume that, as in the case of Riemann zeta function, everyL(s) has a meromorphic continuation to the complex plane and has a functional equation.Technically, our assumptions are as follows:

Assumption 1. The defining series for L(s) converges for Re(s) sufficiently large.Equivalently, the coefficients an grow at worst as a polynomial function of n.

Assumption 2. L(s) admits a meromorphic continuation to the entire complex plane.Assumption 3. The following exist: real positive weight, complex sign of absolute

value 1, real positive conductor and the Γ-factor

γ(s) = Γ(s+λ1

2

)· · ·Γ

(s+λd

2

)

of dimension d ≥ 1 and rational Hodge numbers λ1, . . . λd, such that

L∗(s) =(conductor

πd

)s/2

γ(s)L(s)

satisfies the functional equation

L∗(s) = sign · L∗(weight− s).

Here L is the dual L-series with complex conjugate coefficients L(s) =∑∞

n=1 an/ns.Assumption 4. The series L∗(s) has finitely many simple poles and no other singu-

larities.


Assumption 1 will almost certainly be true for any naturally arising L-function andAssumptions 2–4 are expected (but not proven) to be satisfied for most of the L-functionsarising in geometry and number theory. In fact, there is a large class of so-called motivicL-functions for which all of the above assumptions are conjectured to be true. Essentiallythis class consists of L-functions associated to cohomology groups of varieties over numberfields. This is an extremely large class of L-functions that includes all of the standardexamples.

108.5.2 Constructing a General L-SeriesWhen computing the values L(s) for a complex number s, Magma relies heavily on

the functional equation. This means that the emphasized parameters in Assumptions 1–4(coefficients, weight, conductor, poles, etc.) must be known before the computations canbe carried out.

The generic LSeries function allows the user to construct an L-series for a new objectby specifying values for these parameters. In fact, this function is used to construct all ofthe built-in L-series in Magma and some of these will be used as examples to illustrateits use (see the advanced examples section).

LSeries(weight, gamma, conductor, cffun)

Sign FldComElt Default : 0Poles SeqEnum Default : []Residues SeqEnum Default : []Parent Any Default : “unknown origin”CoefficientGrowth UserProgram Default :


ImS FldReElt Default : 0Asymptotics BoolElt Default : true

The function takes four arguments: real positive weight, sequence of rational Hodgenumbers gamma, real positive conductor and a coefficient function cffun together witha number of optional parameters. It constructs an L-series with specified coefficients andthe form of the functional equation.

Compulsory arguments (see Section 108.5.1 for terminology):

weight — weight of the L-series.Specifies the functional equation; for instance, it is 1 for the Riemann zeta function, 2

for curves over the rationals and Weight(f) for modular forms f .

gamma — Hodge numbers (also known as gamma parameters).List (of type SeqEnum) of rational numbers that specify the gamma factor. For in-

stance, this is [0] for the Riemann zeta function, [0,1] for an elliptic curve over Q and[0,...,0,1,...,1] with r1 + r2 zeros and r2 ones for the Dedekind zeta function of anumber field K with r1 real and r2 pairs of complex embeddings.


conductor — conductor of the L-series.Part of the exponential factor ( conductor

πd )s/2 in the functional equation. It is usu-ally an integer and is 1 for the Riemann zeta function, the level for a modular form,|Discriminant(K)| for the Dedekind zeta of a number field K and the conductor of theJacobian for an algebraic curve over the rationals.

cffun — specifies the coefficients an. The following possibilities are allowed:

• A finite sequence [a1, ..., an];• A function f(n) that returns an;• A function f(p, d) that computes the inverse of the local factor at p up to degree

d;• The value 0, signifying that the coefficients will be provided later with a call to

LSetCoefficients.See Section 108.5.3 for a detailed explanation and examples.

Optional parameters for Lseries::

Sign — the sign appearing in the functional equation.This is the sign that enters the functional equation and is usually ±1. It must be a

complex number of absolute value 1. Alternatively, this can be set to 0 (default), in whichcase Magma will determine it numerically from the functional equation.

Instead of providing the actual sign, the user may also use an option Sign:=s where sis the name of a function s(p) or s(L, p) that computes the sign to precision p.

Poles — the poles z of L∗(s) with Re z ≥weight/2 and

Residues — the residues at these polesIf L∗(s) happens to have poles, there are only finitely many of them and each must

be simple by Assumption 4 of the previous subsection. The poles have to be known andspecified here when the L-function is created. The poles are symmetric about the points =weight/2 by the functional equation and only the “right half” of the set of them hasto be supplied in the form of a sequence as the value of the parameter Poles. The defaultsetting is that L∗(s) has no poles.

The residues at the poles of L∗(s) are also required and they can be specified using theResidues parameter, which also takes a sequence as its value. It can be either a sequenceof the same length as Poles or left to its default setting []. In that case, Magma willattempt to determine the residues numerically using the functional equation. However,this is only possible if Sign is known and will not work to full precision if there is morethan one pair of poles.

As an example, the Riemann zeta function has weight 1 and the modified functionζ∗(s) has poles at s = 0 and s = 1 with residues 1 and −1 respectively. So the parameterassignments Poles:=[1], Residues:=[-1] would be used in its definition.

As in the case of Sign, instead of providing the actual residues, the user may give nameof a function r(p) or r(L, p) that computes the residues up to precision p and returns themas a sequence.


Parent — any Magma object.This is only used for printing purposes. When a variable type LSer is printed, Magma

prints “L-series of” and then prints the parent object.

Precision — the precision to which L-values are to be computed (default is 0, usecurrent precision).

CoefficientGrowth — name f of a function f(x) or f(L, x) such that |an| < f(n).

ImS — the largest imaginary part of s for which L(s) will be evaluated.

Asymptotics — whether to use asymptotic expansions (default is yes).These four settings are related to the precision to which values are calculated in L-series

computations. They are the same as for the SetPrecision function and are described indetail in Section 108.7.

As an illustration, the following code creates the Riemann zeta function from its in-variants. This is essentially what RiemannZeta() does:

> Z:=LSeries(1,[0],1,func<n|1>: Sign:=1, Poles:=[1], Residues:=[-1]);> CheckFunctionalEquation(Z);0.0000000000000000000000000000000

For more examples, see the “Advanced examples” section 108.9.

It is strongly advised that the user apply the function CheckFunctionalEquationwhenever a generic L-series is defined. If one of the specified parameters (conductor, sign,etc.) happens to be incorrect, the resulting L-series will not have a functional equationand the values returned by the evaluation functions will be nonsense. Only by checkingthe functional equation will the user have an indication that something is wrong.

CheckFunctionalEquation(L)

t FldReElt Default : 1.2Given an L-series L, this function tests the functional equation numerically andshould ideally return 0 (to the current precision), meaning that the test was passed.If the value returned is a significant distance from 0, either the L-function does nothave a functional equation or some of the defining parameters (conductor, polesetc.) have been incorrectly specified or not enough coefficients have been given. Inthe latter case, CheckFunctionalEquation is likely to return a number reasonablyclose to 0 that measures the accuracy of computations.

As already mentioned, Magma can only work with L-functions that satisfy thefunctional equation as in 108.5.1. Whenever an L-function is constructed, its func-tional equation is implicitly used in all the L-series evaluations, even when L isevaluated in the region where the original Dirichlet series is absolutely convergent.

If either the sign in the functional equation or the residues of L∗(s) have not yetbeen computed, this function will first compute them. If the sign was undefined, itreturns |Sign| − 1 which, again, must be 0.


The optional technical parameter t is a point on the real line where Magmaevaluates the two Theta functions associated to the L-series and subtracts one fromthe other to get the value returned by CheckFunctionalEquation. The parametert must be a real number satisfying 1.05 < t < 1.2 and for every such number thefunction should return 0, provided that the functional equation is indeed correct.

Example H108E8

We attempt to define a truncated L-series of a quadratic character mod 3 (so χ(n) = 0, 1,−1 ifn is 0,1 or 2 mod 3 respectively.)

> L:=LSeries(1,[0],3,[1,-1,0,1,-1,0]: Sign:=-1);


1.152455615560373697496605481547

This does not look right. In fact, the Hodge numbers are 0 for even quadratic characters, but 1for odd ones,

> L:=LSeries(1,[1],3,[1,-1,0,1,-1,0]: Sign:=-1);


1.063726235879220898712968226243

This still does not look right. We gave the wrong sign in the functional equation.

> L:=LSeries(1,[1],3,[1,-1,0,1,-1,0]: Sign:=1);


3.328171077588057787282583863548E-15

This certainly looks better but it indicates that we did not give enough coefficients to our L-series.We determine how many coefficients are needed to do computations with default precision (30digits),

> LCfRequired(L);

11

So 11 coefficients are needed and we provide them in the code below.

> L:=LSeries(1,[1],3,[1,-1,0,1,-1,0,1,-1,0,1]: Sign:=1);


9.860761315262647567646607066035E-32

This a correct way to define our L-series. Even better is the following variant:

> L:=LSeries(1,[1],3,func<n|(n+1) mod 3 -1>: Sign:=1);


9.860761315262647567646607066035E-32

This allows Magma to calculate as many an as it deems necessary using the provided function.


108.5.3 Setting the Coefficients

LSetCoefficients(L,cffun)

This function defines the coefficients an of the L-series L. The argument cffun canbe one of the following:

• A sequence [a1, ..., an];

• A function f(n) that returns an;

• A function f(p, d) that computes the inverse of the local factor at p up to degreed.

When a user-defined L-series is constructed by invoking the function

> L:=LSeries(weight,gamma,conductor,cffun: <optional parameters>);

this is actually equivalent to invoking the pair of functions

> L:=LSeries(weight,gamma,conductor,0: <optional parameters>);> LSetCoefficients(L,cffun);

where the first line indicates that the coefficients will be supplied later and the second lineactually specifies the coefficients. So the following description of the cffun parameter forthe function LSetCoefficients(L,cffun) applies to the main LSeries signature as well.

The first two ways to specify the an are either to give a pre-computed sequence ofcoefficients up to a certain bound or to give the name of a function f(n) that computes thean. (The other two ways are described in the two subsections that follow.) For instance,the following both define the Riemann zeta function with weight 1, one Hodge number 0,conductor 1, sign 1, pole at s = 1 with residue −1, all an = 1:

> V:=[1:k in [1..100]];> L:=LSeries(1,[0],1,V: Sign:=1, Poles:=[1], Residues:=[-1]);

or

> f:=func<n|1>;> L:=LSeries(1,[0],1,f: Sign:=1, Poles:=[1], Residues:=[-1]);

Of the two possibilities, the second one is safer to use in a sense that it lets Magmadecide how many coefficients it needs in order to perform the calculations to the requiredprecision. However, if the computation of an is costly and it involves previous coefficients,then it is probably better to write a function that computes an recursively, storing themin a sequence and then passing it to LSeries.

108.5.4 Specifying the Coefficients LaterWhen specifying a finite list of coefficients it is necessary to know in advance how manycoefficients have to be computed. For this, Magma provides a function LCfRequired(L)(see 108.6).


Example H108E9

We define L to be our own version of the Riemann zeta function (weight 1, one Hodge number0, conductor 1, sign 1, pole at s = 1 with residue −1), but tell Magma that we will specify thecoefficients later with the 4th parameter set to 0. Then we ask how many coefficients it needs toperform computations:

> L:=LSeries(1,[0],1,0: Sign:=1, Poles:=[1], Residues:=[-1]);

> N:=LCfRequired(L); N;

6

Now we compute the coefficient vector [a1, ..., aN ].

> vec:=[1,1,1,1,1,1];

> LSetCoefficients(L,vec);

Now we can evaluate our ζ-function

> Evaluate(L,2);

1.64493406684822643647241516665

> Pi(RealField())^2/6;

1.64493406684822643647241516665

If we provide fewer coefficients, the computations will not have full precision but we can useCheckFunctionalEquation to get an indication of the resulting accuracy

> LSetCoefficients(L,[1,1]);


4.948762810534411372665820496508E-9

> Evaluate(L,2);

1.64493406684811250127872978182

> $1 - Pi(RealField(28))^2/6;

-1.139351936853848646746774340E-13

Note that such good accuracy with just two coefficients is a singular phenomenon that onlyhappens for L-functions with very small conductors. Normally, at least hundreds of coefficientsare needed to compute L-values to this precision.

Note also that the last value Evaluate(L,2) in the example is much more precise than what onewould get with the truncated version of the original defining series ζtrunc(s) = 1 + 1/2s at s = 2.The reason for this is that even in the region where the original Dirichlet series converges, the useof the functional equation usually speeds up the convergence.


108.5.5 Generating the Coefficients from Local FactorsThe final and, in many cases, mathematically the most natural way to supply the coef-ficients is by specifying the so-called local factors. Recall that the coefficients for mostL-series are weakly multiplicative, meaning that amn = aman for m coprime to n. For suchL-series, L(s) admits a product formula

L(s) =∏

p prime

1Fp(p−s)

,

where Fp(x) is formal power series in x with complex coefficients. For example, if L(s) arisesfrom a variety over a number field (and this, as we already mentioned, essentially coverseverything), then such a product formula holds. In this case the Fp(x) are polynomials ofdegree d for those primes p not dividing the conductor and are of smaller degree otherwise.Moreover, their coefficients lie in the ring of integers of the field of definition of the variety.

For L-functions with weakly multiplicative coefficients, Magma allows the coefficientsto be defined by specifying the local factors, using the function LSetCoefficients(L,f)where f is a user-defined function with two arguments p and d that computes Fp(x), eitheras a full polynomial in x or as a power series in x of precision O(xd+1). For example, theRiemann zeta function has Fp(x) = 1− x for all p, so we can define it as follows,

> Z:=LSeries(1,[0],1,0:Poles:=[1],Residues:=[-1],Sign:=1);> P<x>:=PolynomialRing(Integers());> LSetCoefficients(Z,func<p,d|1-x>);

or as

> P<x>:=PowerSeriesRing(Integers());> Z:=LSeries(1,[0],1, func<p,d|1-x+O(x^(d+1))>:Poles:=[1],Residues:=[-1],> Sign:=1);

108.6 Accessing the Invariants

LCfRequired(L)

The number of Dirichlet coefficients an that have to be calculated in order to com-pute the values L(s). This function can be also used with a user-defined L-seriesbefore its coefficients are set, see 108.5.4.

LGetCoefficients(L,N)

Compute the vector of first N coefficients [* a1, ..., aN *] of the L-series given by L.

LSeriesData(L)

Given an L-series L, this function returns the weight, the conductor, the list of Hodgenumbers, the coefficient function, the sign, the poles of L∗(s) and the residues ofL∗(s) as a tuple of length 7. If Sign = 0, this means it has not been computed yet.Residues= [] means they have not yet been computed. From this data, L can bere-created with a general LSeries call (see 108.5.2).


Example H108E10

For a modular form, the q-expansion coefficients are the same as the Dirichlet coefficients of theassociated L-series:

> f:=Newforms("30k2")[1,1];

> qExpansion(f,10);

q - q^2 + q^3 + q^4 - q^5 - q^6 - 4*q^7 - q^8 + q^9 + O(q^10)

> Lf:=LSeries(f);

> LGetCoefficients(Lf,20);

[* 1, -1, 1, 1, -1, -1, -4, -1, 1, 1, 0, 1, 2, 4, -1, 1, 6, -1, -4, -1*]

The elliptic curve of conductor 30 that corresponds to f has, of course, the same L-series.

> E:=EllipticCurve(f); E;

Elliptic Curve defined by y^2 + x*y + y = x^3 + x + 2 over Rational Field

> LE:=LSeries(E);

> LGetCoefficients(LE,20);

[* 1, -1, 1, 1, -1, -1, -4, -1, 1, 1, 0, 1, 2, 4, -1, 1, 6, -1, -4, -1*]

Now we change the base field of E to a number field K and evaluate the L-series of E/K at s = 2.


> K:=NumberField(x^3-2);

> LEK:=LSeries(E,K);

> i:=LSeriesData(LEK); i;

<2, [ 0, 0, 0, 1, 1, 1 ], 8748000, function(p, d [ Precision ]) ... end function,

0, [], []>

The conductor of this L-series (second entry) is very large and this is an indication that thecalculations of L(E/K, 2) to the required precision (30 digits) will take some time. We can alsoask how many coefficients will be used in this calculation.

> LCfRequired(LEK); // a lot!

280632

Decreasing the precision will help somewhat.

> LSetPrecision(LEK,9);

> LCfRequired(LEK);

17508

And realizing that our L-series has a piece that can be factored out will certainly help (see theArithmetic section).

> Q:=LEK/LE;

> LSetPrecision(Q,9);

> LCfRequired(Q);

3780

> time Evaluate(Q,2)*Evaluate(LE,2); // = L(E/K,2)

0.892165947

Time: 8.020


108.7 Precision

The values of an L-series are computed numerically and the precision required in thesecomputations can be specified using the Precision parameter when an L-function is cre-ated. For example,

> K:=CyclotomicField(3);> L:=LSeries(K: Precision:=60);> Evaluate(L,2);1.28519095548414940291751179869957460396917839702892124395133

computes ζ(K, 2) to 60 digits precision. The default value Precision:=0 is equivalentto the precision of the default real field at the time of the LSeries initialization call. Ifthe user only wants to check numerically whether an L-function vanishes at a given points and the value itself is not needed, it might make sense to decrease the precision (to 9digits, say) to speed up the computations.

> E:=EllipticCurve([0,0,1,-7,6]);> RootNumber(E);-1> L:=LSeries(E: Precision:=9);> Evaluate(L, 1: Derivative:=1);1.50193628E-11> Rank(E);3

This example checks numerically that L′(E, 1) = 0 for the elliptic curve E of conductor5077 from Example H108E7.

The precision may be changed at a later time using LSetPrecision.

LSetPrecision(L,precision)

CoefficientGrowth UserProgram Default : default growth

ImS FldReElt Default : 0Asymptotics BoolElt Default : true

Change the number of digits to which the L-values are going to be computed toprecision.

108.7.1 L-series with Unusual Coefficient GrowthThe parameter CoefficientGrowth is the name f of a function f(x) (or f(L, x), whereL is an L-series) which is an increasing function of a real positive variable x such that|an| ≤ f(n). This is used to truncate various infinite series in computations. It is set bydefault to the function f(x) = 1.5 ·xρ−1 where ρ is the largest real part of a pole of L∗(s) ifL∗(s) has poles and f(x) = 2x(weight−1)/2 if L∗(s) has no poles. The user will most likelyleave this setting untouched.


108.7.2 Computing L(s) when Im(s) is Large (ImS Parameter)If s is a complex number with large imaginary part, a great deal of cancellation occurs whilecomputing L(s), resulting in a loss of precision. (The time when all the precision-relatedparameters are pre-computed is when the function LSeries is invoked, and at that timeMagma has no way of knowing whether L(s) is to be evaluated for complex numbers shaving large imaginary part.) If this happens, a message is printed, warning of a precisionloss. To avoid this, the user may specify the largest Im(s) for which the L-values are tobe calculated as the value of the ImS parameter at the time of the L-series initializationor, later, with a call to LSetPrecision:

> C:=ComplexField();> L:=RiemannZeta();> Evaluate(L,1/2+40*i); // wrongWarning: Loss of 13 digits due to cancellation0.793044952561928671982128851045 - 1.04127461465106502007452195086*i> LSetPrecision(L,30: ImS:=40);> Evaluate(L,1/2+40*i); // right0.793044952561928671964892588898 - 1.04127461465106502005189059539*i

108.7.3 Implementation of L-series Computations (Asymptotics Pa-rameter)

The optional parameter Asymptotics in LSetPrecision and in the general LSeriesfunction specifies the method by which the special functions needed for the L-series eval-uation are computed.

If set to false, Magma will use only Taylor expansions at the origin and these are al-ways known to be convergent. With the default behaviour (Asymptotics:=true) Magmawill use both the Taylor expansions and the continued fractions of the asymptotic expan-sions at infinity. This is much faster, but these continued fractions are not proved to beconvergent in all cases.

108.8 Verbose PrintingThere is one verbose printing variable, called "LSeries" that controls verbose printing

for all of the functions in this chapter.

> SetVerbose("LSeries",n);

It accepts verbosity levels n such that 0 ≤ n ≤ 3. The values are as follows:n = 0 is the (default) quiet mode. The functions do not print anything apart from

loss-of-precision warnings.n = 1 is possibly the most useful setting. The sign and the residues of L∗(s) are printed

whenever they are determined from the functional equation.n = 2 generates messages that allow the user to keep track of what is currently hap-

pening. So messages are printed when a new L-function is constructed, when coefficientsare generated or when expansions of special functions are computed.


n = 3 is a “keep-alive” setting that basically informs the user that the computer hasnot crashed yet and, yes, something is still happening. For L-functions of large con-ductor or very high precision that require a large number of coefficients, Magma willprint a “progress indicator” every time 1000 new coefficients are generated and every5000 terms in the series computations that test the functional equation or compute theL-values. (The frequencies 1000 and 5000 are stored in the attributes L‘vprint coeffsand L‘vprint series of a variable L of type LSeries and may be changed at the user’sdesire.)

108.9 Advanced Examples

108.9.1 Self-made L-series of an Elliptic Curve

Example H108E11

This is an example of how the general LSeries function can be used to define the L-series forelliptic curves. This is essentially what LSeries(E) does:


> N:=Conductor(E);N;

10351


The easiest way to define the coefficients is to provide the local factors.

> cf:=func<p,d|1-TraceOfFrobenius(E,GF(p,1))*x

> +(N mod p ne 0 select p else 0)*x^2>;

> L:=LSeries(2,[0,1],N,cf : Parent:=E, Sign:=RootNumber(E));

Compare this with the built-in function LSeries(E)

> Evaluate(L,2);

0.977431866894500508679039127647

> Evaluate(LSeries(E),2);

0.977431866894500508679039127647


108.9.2 Self-made Dedekind Zeta Function

Example H108E12

This is an example of how the general LSeries function may be used to define the Dedekind zetafunction of a number field K. This is essentially what the function LSeries(K) does:

> function DedekindZeta(K)

> M:=MaximalOrder(K);

> r1,r2:=Signature(K);

> gamma:=[0: k in [1..r1+r2]] cat [1: k in [1..r2]];

> disc:=Abs(Discriminant(M));


The coefficients are defined by means of local factors; for a prime p we take the product of 1−xfk

where the fi are the residue degrees of primes above p. Note that this local factor has (maximal)degree [K : Q] if and only if p is unramified or, equivalently, if and only if p does not divide thediscriminant of K which is (up to sign) the conductor of our zeta-function.

> cf:=func<p,d|&*[1-x^Degree(k[1]): k in Decomposition(M,p)]>;

Finally, the Dedekind zeta function has a pole at s = 1 and we need its residue (or, rather, theresidue of ζ∗(s)) which we compute using the class number formula.

> h:=#ClassGroup(M);

> reg:=Regulator(K);

> mu:=#TorsionSubgroup(UnitGroup(M));

> return LSeries(1, gamma, disc, cf: Parent:=K, Sign:=1, Poles:=[1],

> Residues:=[-2^(r1+r2)*Pi(RealField())^(r2/2)*reg*h/mu]);

> end function;

> Z:=DedekindZeta(CyclotomicField(5)); Z;

L-series of Cyclotomic Field of order 5 and degree 4

> Evaluate(Z,1);

L*(s) has a pole at s = 1

> L:=Z/RiemannZeta();

> Evaluate(L,1);

0.339837278240523535464278781159

108.9.3 L-series of a Genus 2 Hyperelliptic Curve

Example H108E13

We compute an L-series of a hyperelliptic curve of genus 2.


> C:=HyperellipticCurve([x^5+x^4,x^3+x+1]); C;

Hyperelliptic Curve defined by y^2 + (x^3 + x + 1)*y = x^5 + x^4


over Rational Field

There is an L-series attached to H1(C) or, equivalently, the H1 of the Jacobian J of C. To definethis L-series, we need its local factors which, for primes p of good reduction of C, are given byEulerFactor(J,GF(p,1)). Let us look at the primes of bad reduction:

> Abs(Discriminant(C));

169

> Factorization(Integers()!$1);

[ <13, 2> ]

There is one prime p = 13 where the curve has bad reduction. There the fiber is a singular curvewhose normalization is elliptic.

> A<X,Y>:=AffineSpace(GF(13,1),2);

> C13:=Curve(A,Equation(AffinePatch(C,1)));

> GeometricGenus(C), GeometricGenus(C13);

2 1

> SingularPoints(C13);

@ (9, 1) @

> p:=$1[1]; IsNode(p), IsCusp(p);

false true

> C13A:=Translation(C13,p)(C13);

> C13B:=Blowup(C13A); C13B;

Curve over GF(13) defined by

X^3 + 12*X^2*Y + 7*X^2 + 12*X*Y + 12*Y^2 + 3*Y + 1

> E:=EllipticCurve(ProjectiveClosure(C13B));

The local factor of C at p = 13 is given by the Euler factor of this elliptic curve

> EulerFactor(E);

13*x^2 + 5*x + 1

The conductor of L(C, s) is 132, the same as the discriminant in this case. So, we define L(C, s):

> J:=Jacobian(C);

> loc:=func<p,d|p eq 13 select EulerFactor(E) else EulerFactor(J,GF(p,1))>;

> L:=LSeries(2,[0,0,1,1],13^2,loc);

Now we check the functional equation and compute a few L-values. (Most of the execution timewill be spent generating coefficients, so the first call takes some time. After that, the computationsare reasonably fast.)


-2.958228394578794270293982119810E-31

> Evaluate(L,1);

0.0904903908324296291135897572580

> Evaluate(L,2);

0.364286342944364068154291450139


108.9.4 Experimental Mathematics for Small Conductor

Example H108E14

This is an example as to how to construct the first 20 coefficients of the L-series of an ellipticcurve of conductor 11 without knowing anything about either the curve or modular form theory.The point is that for an L-series L(s) =

∑an/ns, the associated theta function (used in

CheckFunctionalEquation) is a series with an as coefficients and terms that decrease very rapidlywith n. This means that if we truncate the series to, for instance, just a1 +a2/2s and call LSerieswith the same parameters (weight, sign, etc.) as those for L(s) but just [a1, a2, 0, 0, 0, 0, ...] asthe coefficient vector, then CheckFunctionalEquation will return a number reasonably close to0, because the coefficients an for n > 2 only make a small contribution.With this in mind, we create an L-series that looks like that of an elliptic curve with conductor11 and sign 1, that is we take weight=2, conductor=1, gamma=[0,1], sign=1 and no poles:

> L:=LSeries(2,[0,1],11,0: Sign:=1);

Then taking a1 = 1, and recalling the requirement that all the coefficients must be weakly multi-plicative, we try various a2 to see which of the truncated L-series 1+ a2/2s is closest to satisfyinga functional equation. We know that a2 (and every other an) is an integer and the Hasse-Weilbound |ap| < 2

√p leaves us with 5 choices:

> for a_2:=-2 to 2 do

> LSetCoefficients(L,[1,a_2]);

> print a_2,CheckFunctionalEquation(L);

> end for;

-2 0.008448098707478090187579588380635

-1 0.07557498328782515608604001309880

0 0.1427018678681722219845004378169

1 0.2098287524485192878829608625350

2 0.2769556370288663537814212872532

It seems that a2 = −2 is the best choice, so we set it. Note that this also determines a4, a8, etc.We next proceed to find a3 in the same way. It might come as a surprise, but in this way we canfind the first 30 or so coefficients correctly. (Actually, by using careful bounds, it is even possibleto prove that these are indeed uniquely determined.) Here is code that finds a1, ..., a20:

> N:=LCfRequired(L);N;

49

> V:=[0: k in [1..N]]; // keep a_p in here


> function Try(V,p,a_p) // set V[p]=a_p and try functional equation

> V[p]:=a_p;

> LSetCoefficients(L,func<p,d|1-V[p]*x+(p eq 11 select 0 else p)*x^2>);

> return Abs(CheckFunctionalEquation(L));

> end function;

> for p:=2 to 20 do // try a_p in Hasse-Weil range and find best one

> if IsPrime(p) then

> hasse:=Floor(2*Sqrt(p));

> _,V[p]:=Min([Try(V,p,a_p): a_p in [-hasse..hasse]]);


> V[p]-:=hasse+1;

> end if;

> end for;

> LSetCoefficients(L,func<p,d|1-V[p]*x+(p eq 11 select 0 else p)*x^2>);

We list the coefficients that we found and apply CheckFunctionalEquation to them:

> LGetCoefficients(L,20);

[* 1, -2, -1, 2, 1, 2, -2, 0, -2, -2, 1, -2, 4, 4, -1, -4, -2, 4, 0, 2*]


4.186579790674123374418985668816E-16

Compare this with the actual truth:

> qExpansion(Newforms("11A")[1],21);

q - 2*q^2 - q^3 + 2*q^4 + q^5 + 2*q^6 - 2*q^7 - 2*q^9 - 2*q^10 + q^11

- 2*q^12 + 4*q^13 + 4*q^14 - q^15 - 4*q^16 - 2*q^17 + 4*q^18 +

2*q^20 + O(q^21)

Such methods have been used by Stark in his experiments with L-functions of number fields, andby Mestre to find restrictions on possible conductors of elliptic curves. In fact, by modifying ourexample (changing 11 to 1..10 and sign=1 to sign=±1) one can show that for N < 11 there areno modular elliptic curves of conductor N .

108.9.5 Tensor Product of L-series Coming from l-adic Representations

Example H108E15

This is an example of using the tensor product for L-functions coming from l-adic representations.This is what LSeries(E,K) uses to construct L-series of elliptic curves over number fields.




> LE:=LSeries(E);

> LK:=LSeries(K);

We have now two L-functions, one associated to an elliptic curve and one to a number field. Theyboth come from l-adic representations, and we can try to construct their tensor product. Actually,the function TensorProduct requires us to specify exponents of the conductor and the bad localfactors of the tensor product representation, but we can try and let Magma do it, hoping thatnothing unusual happens. We take the tensor product of the two L-series and divide it by L(E, s)to speed up the computations. Remember that L(K, s) has a copy of the Riemann zeta functionas a factor.

> L:=TensorProduct(LE,LK,[])/LE;


|Sign| is far from 1, wrong functional equation?


0.0234062571006075114301535636401

The resulting L-function does not satisfy the required functional equation, so something unusualdoes happen at a prime where both E and K have bad reduction, which in this case must beeither p = 2 or p = 3.Let us check p = 2. We change the base field of E to K and look at its reduction at the uniqueprime above 2:

> EK:=BaseChange(E,K);

> p:=Decomposition(MaximalOrder(K),2)[1,1];

> LocalInformation(E,2);

<2, 4, 2, 3, IV>

> loc,model:=LocalInformation(EK,p);loc,model;

<Principal Prime Ideal

Generator:

[0, -1, 0], 0, 0, 1, I0>

Elliptic Curve defined by y^2 - y = x^3 over K

We see that E has acquired good reduction at p|2. This means that the inertia invariants at 2of the l-adic representation associated to L, namely ρE ⊗ (ρK − ρQ) are larger than the tensorproduct of the corresponding inertia invariants, which is zero. Thus the local factor of L at 2is not Fp(x) = 1 (which is what TensorProduct assumed), but a polynomial of higher degree.In fact, it is the characteristic polynomial of Frobenius of the reduced curve E/K mod p, soFp(x) = 1− a2x + 2x2 with a2 given by

> TraceOfFrobenius(Reduction(model,p));

0

This is now the correct L-function (at p = 3 the default procedure works) and the functionalequation is satisfied

> L:=TensorProduct(LE,LK,[<2,4,1+2*x^2>])/LE;


3.15544362088404722164691426113E-30

In fact, our L-series is the same as that constructed by LSeries(E,K)/LE.

108.9.6 Non-abelian Twist of an Elliptic Curve

Example H108E16

In this example we illustrate how to use LSeries(E,K) to construct non-abelian twists of ellipticcurves.




> L:=LSeries(E,K)/LSeries(E);

> lval:=Evaluate(L,1);lval;


0.655371552164974435712378842491

The series L is the L-function of non-abelian twist of E and it appears that L(1) is non-zero. Inother words, the analytic rank of L(E/K, s) at s = 1 is the same as that of L(E/Q, s). Tate’sversion of the Birch-Swinnerton-Dyer conjecture then predicts that the Mordell-Weil rank of E/Kis the same as the rank over Q, so the elliptic curve has not acquired new independent points.This is something that can be confirmed by a Selmer group computation:

> EK:=BaseChange(E,K);

> twoE:=MultiplicationByMMap(E,2);

> #SelmerGroup(twoE);

2

> twoEK:=MultiplicationByMMap(EK,2);

> #SelmerGroup(twoEK);

2

Indeed, the 2-Selmer rank is 1 in both cases, as expected. Finally, the second part of the Birch-Swinnerton-Dyer conjecture predicts that the following quotient should be rational:

> p1,p2:=Explode(Periods(E));

> lval*Sqrt(Abs(Discriminant(K)))/(p1*Im(p2));

1.33333333333333333333333333334

108.10 Bibliography[Coh00] Henri Cohen. Advanced Topics in Computational Number Theory. Springer,

Berlin–Heidelberg–New York, 2000.[Dok02] Tim Dokchitser. ComputeL, pari package to compute motivic L-functions.

URL:http://www.maths.dur.ac.uk/∼dma0td/computel/, 2002.[Dok04] Tim Dokchitser. Computing special values of motivic L-functions. Experiment.

Math., 13(2):137–149, 2004.[JKS94] Uwe Jannsen, Steven Kleiman, and Jean-Pierre Serre, editors. Motives, vol-

ume 55 of Proceedings of Symposia in Pure Mathematics, Providence, RI, 1994. Amer-ican Mathematical Society.

[Lav67] A. F. Lavrik. An approximate functional equation for the Hecke zeta-functionof an imaginary quadratic field. Mat. Zametki, 2:475–482, 1967.

[Ser65] Jean-Pierre Serre. Zeta and L functions. In Arithmetical Algebraic Geometry(Proc. Conf. Purdue Univ., 1963), pages 82–92. Harper & Row, New York, 1965.

[Sha95] I. R. Shafarevich, editor. Number theory. I, volume 49 of Encyclopaedia ofMathematical Sciences. Springer-Verlag, Berlin, 1995. Fundamental problems, ideasand theories, A translation of Number theory. 1 (Russian), Akad. Nauk SSSR, Vsesoyuz.Inst. Nauchn. i Tekhn. Inform., Moscow, 1990, Translation edited by A. N. Parshin andI. R. Shafarevich.

[Tol97] Emmanuel Tollis. Zeros of Dedekind zeta functions in the critical strip. Math.Comp., 66(219):1295–1321, 1997.

Documents

Volume 10 Arithmetic Geometry and Number Theory John ...107.5 Function Field 3431 107.5.1 Function Field and Polynomial Ring 3431 107.6 Points 3432 107.6.1 Creation of Points 3432